Too big to care? Google and the exploitation of your data
On 22 January 2019 Google updated its Terms of Service and Privacy Policy for Europe.
The message is quite reassuring:
“Nothing about your experience in Google services will change. And nothing is changing in terms of your privacy settings, the way your data is processed, nor the purposes of its processing”.
Then it says: “However, if you don’t want to accept these changes in our terms and Privacy Policy, you can choose to stop using the applicable services.”
Simple. If you don’t like it, don’t use it. After all, the service is free. Except that around 80% of smart mobile devices globally run on the Android operating system, which is controlled by Google. And Google dominates the global market of general internet search services with over 85% of the market.
What is new in Google's Terms and Services and Privacy Policy for Europe?
Annoucing the updates to its Terms and Service and Privacy Policy for Europe, Google stresss that "the most important of these is that Google Ireland Limited will become the “data controller” legally responsible for EEA and Swiss users’ information. This means that Google Ireland Limited becomes responsible for responding to requests for its user data, including from EU law enforcement, consistent with Irish law. It is also responsible for compliance with applicable privacy laws, including Europe’s new General Data Protection Regulation (GDPR). We’re making the data controller change to facilitate engagement with EU data protection authorities via the GDPR’s “One Stop Shop” mechanism, which was created to ensure consistency of regulatory decisions for companies and EU citizens."
What does this mean? Google may be seeking to limit further action from european data protection regulators. A data controller is the entity responsible for protecting people's data and complying with GDPR. GDPR provides that in certain circumstnaces a data controller may have a lead data protection authority, so if a company breaches GDPR they are only investigated by one data protection authority and only receive one fine across the EU. In CNIL's recent fine of €50million issued to Google LLC, the issue of whether Google LLC or Google Ireland were the data controller and therefore whether there was a lead data protection authority arose, and it found that in the context of the Android operating services, the Irish DPA was not the lead superviosry authoirty. This meant that CNIL could proceed with its investigation and action against Google LLC. By changing the data controller (through this update) to Google Ireland, Google appears to be seeking to ensure that the Irish DPA is the lead authority for future actions and thus dodge further action by others DPAs in the EU.
Is this fair?
As a nice touch Google says that they will "ask for your consent before using your information for a purpose that isn’t covered in this Privacy Policy.” But most of the data collected when you agree to the privacy policy you cannot control.
This does not sit well with the requirements under the EU General Data Protection Regulation, which demands that consent for the processing of personal data to be "freely given, specific, informed and unambigous".
What do regulators say?
On 21 January 2019 the French data protection authority (CNIL) found Google in breach of the General Data Protection Regulation and issued Google a fine of €50 million based on complaints by the NGOs NOYB and La Quadrature Du Net in May 2018.
One of the key findings in CNIL's decision is the lack of valid consent in relation to Ads personalisation. The French data protection authority found that it is not sufficiently specific to simply ask users to tick generic boxes such as « I agree to Google’s Terms of Service» and « I agree to the processing of my information as described above and further explained in the Privacy Policy». Each and every processing operations purposes carried out by Google based on consent need to be specific.
As CNIL notes, users should be given the opportunity to consent to each of the data processing before they are asked to accept terms and conditions or general privacy policy (see paragraph 160 of the decision, French version).
Why does this matter?
Google collects vast amounts of data, even when you do not have a Google account or are not signed into your account.
"When you’re not signed in to a Google Account, we store the information we collect with unique identifiers tied to the browser, application, or device you’re using. The information we collect includes unique identi ers, browser type and settings, device type and settings, operating system, mobile network information including carrier name and phone number, and application version number. We also collect information about the interaction of your apps, browsers, and devices with our services, including IP address, crash reports, system activity, and the date, time, and referrer URL of your request."
The list of data goes on for a few pages.
Google "collect information about your activity in our services, including: terms you search for on Google, videos you watch on YouTube, views and interactions with content and ads, "people with whom you communicate or share content"
They also "also collect the content you create, upload, or receive from others when using our services." This includes information such as emails you write and receive, photos and videos you save, docs and spreadsheets you create, and comments you make on YouTube videos you watch.
If you use Google services to make and receive calls or send and receive messages, they "collect telephony log information like your phone number, calling-party number, receiving-party number, forwarding numbers, time and date of calls and messages, duration of calls, routing information, and types of calls."
Google also collects location data, always, it says, in order to be helpful to you.
"Your location can be determined with varying degrees of accuracy by:
GPS , IP address, Sensor data from your device, Information about things near your device, such as Wi-Fi access points, cell towers, and Bluetooth- enabled devices
The types of location data we collect depend in part on your device and account settings."
For good measure, they also collect information from other sources.
"In some circumstances, Google also collects information about you from publicly accessible sources. For example, if your name appears in your local newspaper, Google’s Search engine may index that article and display it to other people if they search for your name. We may also collect information about you from trusted partners, including marketing partners who provide us with information about potential customers of our business services, and security partners who provide us with information to protect against abuse. We also receive information from advertisers to provide advertising and research services on their behalf."
Why are Google collecting and using this vast array of information?
The list of purposes for the processing of personal data is also long.
Among them, “we use the information we collect in existing services to help us develop new ones.”
This may seem quite innocuous, but it has significant implications for market's dominance and, ultimately, control over users' choices. Google uses our personal data to develop products which ensure they are ahead of the curve in terms of knowing which new products will be successful.
Ditto for the “measure performance” (another of the purposes for processing) which explicitly includes: using “data about the ads you interact with to help advertisers understand the performance of their ad campaigns. We use a variety of tools to do this, including Google Analytics. When you visit sites that use Google Analytics, Google and a Google Analytics customer may link information about your activity from that site with activity from other sites that use our ad services.”
What the privacy terms don’t say is that Google Analytics represents over 60% of the web analytics software market share (the second largest one, with only over 10% is Facebook Analytics).
These practices raise significant competition concerns, given the dominance, near monopoly of Google in the search engine market and the other markets (such as smart mobile phone using Android.)
Too big to care?
Big companies such as Google, Facebook and others continue to impose terms and conditions on users which allow them to collect, analyse and share more and more personal data in ways that people do not understand given the lack of transparency or cannot genuinely consent to. These privacy harms are directly caused by their business models, which increasingly rely on the availability of users’ data, and can impose excessive collection of data on people who have become “captive users” to their providers, given their lack of genuine choice.
Civil society organisations, including NOYB, La Quadrature Du Net and the Norwiegan Consumer Council have raised numerous complaints on this issue.
Data protection authorities, such as CNIL, are beginning to address these practices. But the power imbalance is vast and hugely slanted in big companies' favour. Other regulators, such as antitrust authorities, and policy makers need to intervene to address the data exploitation these companies rely upon.