Consumer rights groups in Europe have filed a new series of privacy complaints against Google — accusing the advertising giant of deceptive design around the account creation process that they say steers users into agreeing to extensive and invasive processing of their data.
The tech giant profiles account holders for ad targeting purposes — apparently relying on user consent as its legal basis. But the EU’s flagship data protection law, the General Data Protection Regulation (GDPR), bakes in a requirement for privacy by design and default, as well as setting clear conditions around how consent must be gathered for it to be lawful.
Hence the consumer groups’ beef — if deceptive design by Google is tricking users into accepting its tracking.
They argue the design choices the tech giant deploys around account creation make it far easier for users to agree to Google’s processing of their information to target them with “personalized” ads than to deny consent to its profiling of them for behavioral advertising.
Fast track to being tracked
The complaints highlight how more privacy-friendly options — described by Google as “manual personalization” — require users to take five steps and ten clicks (“grappling with information that is unclear, incomplete, and misleading,” as they put it); whereas it offers a one-click “Express personalisation” option that activates all the tracking, making it terrible for privacy.
They also point out that Google does not provide consumers with the option to turn all tracking “off” in one click, further noting that Google requires account creation to use certain of its own products, such as when setting up an Android smartphone.
In other cases, users may voluntarily create a Google account — but, either way, the tech giant still presents skewed options nudging consumers to agree to its tracking of them.
“Regardless of the path the consumer chooses, Google’s data processing is un-transparent and unfair, with consumers’ personal data being used for purposes which are vague and far reaching,” the complainants also argue in a press release.
The series of GDPR complaints are being coordinated by members group BEUC, aka the European Consumer Organisation.
Per BEUC, complaints have been filed to data protection agencies across EU Member States and markets, including by its member organizations in France, the Czech Republic, Norway, Greece and Slovenia.
It also notes that its German member, the vzbv, has written a warning letter to Google — ahead of potentially filing a civil lawsuit — while consumer groups in the Netherlands, Denmark and Sweden have written to their national DPAs to alert them to the practices.
Commenting on the action in a statement, Ursula Pachl, deputy DG of BEUC, said:
“Contrary to what Google claims about protecting consumers’ privacy, tens of millions of Europeans have been placed on a fast track to surveillance when they signed up to a Google account. It takes one simple step to let Google monitor and exploit everything you do. If you want to benefit from privacy-friendly settings, you must navigate through a longer process and a mix of unclear and misleading options. In short, when you create a Google account, you are subjected to surveillance by design and by default. Instead, privacy protection should be the default and easiest choice for consumers.”
This is not the first privacy-related complaint EU consumer rights have made about Google’s practices. They also raised a complaint focused on its collection of location data back in 2018 — but it took until February 2020 for Google’s lead EU data supervisor, Ireland’s Data Protection Commission (DPC), to start an inquiry. And, more than 2 years later, that data probe remains ongoing.
Back in May, the DPC’s deputy commissioner, Graham Doyle, told ProWellTech it was expecting to submit a draft decision on the Google location data inquiry to other DPAs for review “over the coming months.” However, if there is disagreement over Ireland’s approach, it could add many more months before agreement on a final consensus decision is reached. So a resolution of that long-running complaint may still not arrive this year.
The DPC also still hasn’t issued decisions on other long-running GDPR complaints against Google. Such as a major complaint about its adtech, which it began investigating in May 2019 — and is now being sued over for inaction.
Another complaint — against’s Google use of so-called forced consent on its Android mobile platform — dates back to May 2018, although it’s not clear if the DPC ever opened an inquiry in that case. France’s data protection watchdog, the CNIL, proceeded to investigate — and fined Google $57 million back in January 2019 over breaches of transparency and consent attached to how it operates Android. (The CNIL decided it had competence in that case since Android-related decisions were likely taken in the U.S., rather than in Dublin, where Google’s regional HQ is based.)
But Ireland has yet to issue a single GDPR decision against Google.
BEUC is not hiding its frustration at the DPC’s lack of enforcement over complaints against the tech giant.
“Google is a repeat offender,” said Pachl. “It is more than three years since we filed complaints against Google’s location-tracking practices and the Irish DPC in charge has still not issued a decision on the case. Meanwhile Google’s practices have not changed in essence. The tech giant still carries out continuous tracking and profiling of consumers and its practices set the tone for the rest of the market.”
“We need swift action from the authorities because having one of the biggest players ignoring the GDPR is unacceptable,” she added. “This case is of strategic importance for which cooperation among data protection authorities across the EU must be prioritised and supported by the European Data Protection Board.”
Issues around Google’s tracking of account users is separate to the advertising giant’s cookie-based tracking — where it deploys technologies to track users across third-party websites and apps.
The latter process has been the subject of other EU complaints that have led to some enforcements in recent years, with France’s data protection watchdog hitting Google with fines approaching $300 million for cookies tracking-related breaches under the bloc’s ePrivacy Directive — after which Google made some changes to the cookie consent banner it shows web users in Europe.
Strategic complaint
Pachl’s remark about the Google account sign-up complaint being of “strategic importance” refers to BEUC’s expectation that the case will trigger the launch of a procedure under the GDPR’s cooperation mechanism (i.e., Article 60), which it hopes will function more smoothly than it has been since 2018, when the Google location data complaint was filed.
The reason BEUC is hoping for smoother sailing now is because of an agreement EU DPAs reached in April — aka the “Vienna declaration” — when they committed to enhance their enforcement cooperation on cross-border GDPR cases of “strategic importance.”
A complaint against a tech giant like Google clearly hits that bar. But the older Google location data complaint has been saddled with a number of cooperation-related issues that have contributed to slowing down investigation and delaying a decision in that case.
Discussing what changes BEUC hopes to see being applied by regulators in tackling this fresh cross-border Google complaint, David Martin Ruiz, team leader for digital policy at the organization, told us: “We expect that the treatment of the complaints is prioritised as it touches upon practices by a major market player in the surveillance economy which affect millions of Europeans. The first time it took around 6 months just to name the lead authority. Also, we expect better, closer cooperation among the authorities, for example in terms of checking the admissibility of the complaints, and that this is done only once by the authority which receives the complaints. Of course, we expect that closer cooperation and strategic prioritisation by the authorities involved leads to a swift, comprehensive investigation of the complaints and efficient enforcement.”
Still, Ruiz declined to offer a prediction for how much faster the revised cooperation procedure will be able to deliver enforcement against Google, saying: “It is hard to put a concrete number on this but we certainly hope it takes less than the one that is ongoing, and we are not here 3 years from now still waiting for a draft decision.”
The European Commission, which has also been critical of adtech giants’ approach to compliance with EU privacy laws, recently defended slower regulatory enforcements in these major, cross-border cases.
In a letter to the European ombudsperson — which has been looking into the EU executive’s monitoring of the GDPR following complaints about the Commission’s own oversight of the regulation — justice commissioner, Didier Reynders, likened the level of complexity involved in these big investigations to antitrust cases, writing:
” … it is important to make a distinction between cases which are relatively straightforward and do not require extensive investigations and cases which require complex legal and economic assessment or pose novel issues. Those complex cases, for instance those touching on issues relating to the business model of big tech multinational companies, might require several months or years of investigations, similarly to what happens for competition law investigations. This is particularly relevant for Ireland since many of such companies have their main establishment in this Member State.”
Responding to Reynders’ point, Ruiz told ProWellTech: “We agree and understand that these are complex issues and the authorities need time to build strong cases. However, we have seen problems that go beyond the time it takes to investigate these cases (e.g., a DPA narrowing down the scope of complaints when deciding to open their own investigation). Moreover, a lot of the big complaints that are taking years are actually not normal complaints, in the sense that they come already backed with a lot of legal analysis and factual evidence, aiming to facilitate the tasks of the DPAs. Also, of course, the time it takes to resolve these cases is also an illustration of deeper issues, like a lack of sufficient resources. Hopefully, strengthened cooperation and strategic prioritisation, as per the Vienna declaration, will help reduce the time it takes to investigate these cases. Complexity and the time it takes to investigate cannot be an excuse for inaction.”
BEUC isn’t calling for major revisions to GDPR to solve the problem of timely enforcement against Big Tech. But it is pushing for DPAs to make a whole series of process changes, individually and collectively, in order to address issues like the bottleneck of cases linked to the regulation’s one-stop-shop/lead data supervisor structure, which has enabled the problem of forum shopping.
“In a nutshell, regarding Big Tech, the first step is to stop the ‘bottleneck,’” he said. “Basically, DPAs, in particular one DPA which has oversight over many of the Big Tech companies, needs to deliver decisions on the open cases. And both the lead DPA, and the rest of the DPAs in the EDPB, need to be strict and ambitious in their interpretation and application of the rules. Also, if the lead DPA is not delivering the decisions, the others must make full use of their powers and take urgent measures. There needs to be a clear signal to Big Tech that window dressing and cosmetic transparency measures won’t do anymore. There are some fundamental issues in their core business practices that must be addressed, because they run contrary to the very essence of the GDPR.”
“Of course it is a concern that enforcement does not move as fast as market practices, and companies are changing things all the time. It is very important to underline that a company tweaking and correcting something should not erase past infringements and leave them unpunished, especially if they have been going on for years and they have affected millions of people. Otherwise, it is a very dangerous signal we are sending to companies,” he added. “We would be telling them ‘it is ok to infringe the GDPR as long as you are not caught, and if you are caught, just fix it quickly and there will be no consequences.’ This is the opposite of what should happen. Infringements must have consequences. Otherwise there is no justice, and no deterrent effects.”