Google's Irish GDPR probe could provoke doubts about enforcement

13 February 2020 8:39am

7 February 2020 by Vesela Gladicheva

Google's privacy investigation in Ireland risks being less thorough than activists had hoped for, as a result of the data-protection authority's decision to frame its probe as an own-initiative action rather than a response to widespread complaints against the Internet giant.

The Irish Data Protection Commission opened an investigation into Google's location-tracking practices in the first week of February, more than a year after consumer organizations from across Europe filed coordinated complaints against the company.

If the Irish regulator had responded to these complaints directly under the General Data Protection Regulation, it would have incurred a huge administrative burden in gathering and processing all the information related to the case, MLex understands.

The DPC appears instead to have decided to investigate those same practices ostensibly on its own initiative. While it must still involve other national authorities in its investigation, this approach gives it more control over the process and timeframe.

The concern is that the probe might not address all the issues raised in the complaints, since the DPC is not bound to engage with them directly.

The DPC's decision to investigate Google's behavior as it stands now, rather than as it was when the complaints were filed in 2018, could also provoke further complaints and potentially legal challenges to its eventual decision.

The case is being closely watched by companies, privacy regulators and activists as it presents a test of how EU countries work together to coordinate cross-border probes under the GDPR's "one-stop shop" mechanism. An unsatisfactory outcome could call that whole mechanism into question.

Google complaints

Consumer organizations in six European countries — the Czech Republic, Greece, the Netherlands, Norway, Slovenia and Sweden — filed complaints against Google in November 2018, for tracking the movements of users of its Android mobile operating system and using this information to serve them location-specific advertisements.

Google wasn't transparent in how it informed users that it would process their data through the "location history" and "web & app activity" features, the complainants said.

Companies that process data without legitimate legal grounds can be fined up to 4 percent of their global annual revenue under the GDPR.

Sweden's data-protection regulator, Datainspektionen, announced an investigation into the Swedish complaint in January 2019, a day before Google formally named Ireland as its European headquarters — which under the GDPR gives the Irish watchdog the responsibility to investigate cross-border complaints.

In July 2019, the umbrella group of national privacy regulators, the European Data Protection Board, said that enforcers can transfer cases to counterparts if the company's main establishment has changed. In August, the Swedish regulator said that it would hand its investigation over to the Irish DPC.

Irish investigation

On  3 February, the DPC opened an investigation into Google's processing of location data and its transparency obligations linked to that processing under the GDPR.

But the probe took the form of an "own-volition statutory inquiry," raising questions about whether the Irish watchdog would cooperate with its counterparts in other EU countries to the extent envisaged under the GDPR's one-stop shop mechanism.

The complainants' expectation was that the Irish DPC would pick up the six complaints and make use of material already collected from Google by Datainspektionen.

The consumer organizations have approached their national regulators to seek answers about their involvement in the Irish probe. The DPC will give them updates via their national regulators every three months as per the GDPR, MLex understands.

Then and now

As the complainants try to figure out what that means in practice, they are also concerned that the investigation will scrutinize Google's practices today, rather than in 2018, after the company made changes to the way it processes location data over the past year. The fear is that Google might get away with more lenient enforcement.

Over the past year, Google introduced auto-delete controls for users' location history and activity data. It also introduced, among other changes, an "incognito" mode when users don't want the places they search for to be saved to their Google account.

The Irish approach differs from that of the Australian Competition & Consumer Commission. In a lawsuit against Google, the ACCC has alleged that between January 2017 and late 2018, Google misled consumers by not properly disclosing that both the location and the activity settings had to be switched off if they didn't want Google to collect, keep and use their location data.

The issue of timeframes raises questions about the extent to which regulators are willing to tolerate companies making changes to their data-processing practices in response to users' outcry or regulators' warnings, and where enforcers should draw the line.

The problem for the Irish DPC as it embarks on its investigation is that it would be very difficult to identify issues that existed several months ago but have since been resolved or changed. It would depend on the level of evidence available. The understanding is that regulators can't issue an enforcement notice to companies to prevent them from doing something they no longer do.

The worry from complainants is that the GDPR obliges regulators to look at the remedies that organizations have provided to lessen the damage to users' data privacy. This, ultimately, could result in weaker enforcement of the GDPR than they originally set out to achieve.