Google defends consent practice in Swedish data-location GDPR probe

13 May 2019 4:08pm

7 May 2019. By Vesela Gladicheva.

Google has told Swedish investigators that the way it seeks permission from users to handle their location data is in line with EU privacy rules, MLex has learned.

In documents dated May 3 seen by MLex, the US tech giant also argued that it wasn't necessary under the General Data Protection Regulation to conduct an assessment of privacy risks for individuals stemming from its “web & app activity” feature.

Google asks users for their consent to lawfully collect location data via “web & app activity” to give them “location-based recommendations, more relevant results and more relevant ads,” the company said in its 21-page response.

“In accordance with the GDPR, users' consent to process personal data for these purposes is (1) freely given . . . (2) specific … (3) informed … and (4) unambiguous," Google added.

Google has been under investigation since January by Sweden's privacy watchdog, Datainspektionen, over alleged violations of the GDPR, following a complaint by the Swedish Consumers' Association.

The complaint is part of a coordinated activity by national consumer organizations in six European countries: the Czech Republic, Greece, the Netherlands, Norway, Slovenia and Sweden.

Google was responding to a second set of questions by Datainspektionen to help it finalize its probe.

Among the questions were: what legal basis Google cites for the collection of the data under the GDPR; why it thinks it doesn't process sensitive data; and whether it has consulted watchdogs elsewhere in the bloc about the level of risk posed by its data processing.

In its reply, Google stressed that on May 1 it announced a new tool that would allow users “to choose a time period for how long they want to keep activity information in their account.” The company also said it had recently taken steps to minimize the location data it stores in the “web & app activity” feature by keeping approximate rather than precise information.

The Swedish regulator had pointed out that during the account creation process, Google presents users with more options where they can personalize their settings, including a “pre-ticked box which the user must deselect in order to inactivate 'web & app activity'.”

Google explained that decision by referring to a “pop-up dialog” that appears on users' screen to when they click on “create account,” to remind them that they are consenting to the processing of their data for purposes such as recommendations and personalized ads.

— Sensitive data, impact assessment —

Elsewhere in its reply, Google confirmed that the location data it stores don't contain sensitive information as defined under the GDPR, which would require additional safeguards. “We do not allow any [special category data] to be inferred or derived from location data” as outlined in the regulation, Google said.

The company also explained that the “web & app activity” feature didn't trigger an obligation to carry out an assessment of any risks it poses to users. That's because it's merely meant to provide users with transparency and greater control over their data, and Google doesn't take decisions based on actions stored in the feature.

Google also told Swedish investigators that it collected location data via the “web & app activity” feature from 5,500,000 Swedish accounts.

Companies that breach the GDPR could be fined up to 4 percent of their annual global turnover.

GDPR