Tag: Google
10. December 2020
The French Data Protection Authority Commission Nationale de l’Informatique et des Libertès – “CNIL” – announced that it has fined the big tech companies Google and Amazon due to violations of the GDPR and the French Data Protection Act.
Regarding Google CNIL announced financial penalties of an combined record breaking amount of € 100 million. € 60 million are against Google LLC, the US-based mother company, and € 40 million against Google Ireland Limited, the Irish daughter company. According to the statement of CNIL the fines are based on violations regarding the Cookie requirements on the website google.fr. Due to an online investigation, conducted on March 16th, 2020, CNIL considers it as proven that Google “placed advertising cookies on the computers of users of the search engine google.fr, without obtaining prior consent and without providing adequate information”.
Besides the findings on Cookies, CNIL also critizes a lack of information on the processed personal data and a partial failure of the opposition mechanism.
The high amount of the financial penalties is justified with the seriousness of the violation, the high amount of concerned data subjects and the significant profits of the companies arising of the advertisements.
CNIL also considers the fact, that this procedure is no longer in place since an update in September 2020, because the newly implemented banner does not allow to understand the purposes for which the cookies are used and does not let the data subject know that they can refuse the coolies.
This is already the second, financial penalty CNIL imposes against Google.
Also for violations in connection with cookies CNIL fines Amazon Europe Core a financial penalty of € 35 million. The accusation is the same as with Google and based on several investigations conducted between December 12th, 2019 and May 19th, 2020. CNIL found out, that when a user visited the website, cookies were automatically placed on his or her computer, without any action required on the users part. Several of these cookies were used for advertising purposes. Also a lack of information has been conducted.
The high amount of the financial penalties is in all cases justified with the seriousness of the violation, the high amount of concerned data subjects and the significant profits of the companies arising of the advertisements.
4. June 2020
Google users in the USA accuse Google of tracking their surfing behaviour even though they use the incognito mode. The complaint was filed with the federal court in San Jose, California on Tuesday, June 2nd 2020.
Background of the lawsuit is the accusation of three Google users that “Google tracks and collects users’ browsing history and other information about web activity, regardless of what measures they take to protect it”. In other words, users accuse Google of tracking their behaviour through Google Analytics, plug-ins or apps, evaluating it and using it for advertising – despite using the incognito mode.
The complaint is based on a violation of US wiretapping laws and California Privacy laws. Each plaintiff is claiming $5,000.00 in damages. Since the three plaintiffs allegedly represent thousands more plaintiffs the volume of the lawsuit could run into billions.
Google spokesman Jose Castaneda denies the allegations, citing that by opening an incognito tab on Chrome, it is indicated that websites may continue to collect information about surfing behavior. The incognito mode is about the browser and the device used not storing this data. He announced that Google would take action against the accusations.
17. April 2020
Apple and Google two of the biggest internet giants announced that they will partner on the development of a COVD-19 contact tracing technology.
According to a statement, both of them published on their blogs, aim of the partnership is to develop an App respectively a technical tool which should support the protection of people and to help combat the virus. Furthermore, the tracing technology should help governments and health agencies reduce the spread of the virus.
Apple and Google want to develop a Bluetooth technology which can be used on iOS and Android devices as well as that it can be implemented in Apps of other providers via an API (Application Programming Interface) – which should be published in May.
The tracing technology, using the Bluetooth function and encryption, is designed to detect the distance between two devices in order to identify potentially vulnerable people who have been in close contact with a person tested positive for corona. Therefore, the devices should exchange temporarily ID numbers. In case, one person is tested positive he or she should change the status in the used app in order to inform all persons to which the data subject had contact in the past two weeks.
Both, Apple and Google, ensure that they take data protection requirements seriously. According to the provided information the data should firstly be stored on the respective devices and deleted automatically after two weeks. The data should only be uploaded to a server after change of status to tested positive and obtaining consent of the data subject. The exchanged ID numbers are planned to be uploaded to a list anonymously. In order to increase trust, it is planned to publish the software source codes. This would allow everyone to understand how the data is handled. In addition, this is to ensure that no data will be used for advertising purposes.
6. February 2020
The irish data protection authorty (namely The Data Protection Commission (DPC)) is, in its role as Lead Supervisory Authority, responsible for Google within the European Union.
The DPC startet a formal investigation into Google’s practices to track its user’s location and the transparency surrounding that processing.
Following a number of complaints by serveral national consumer groups all across the EU, the investigation was initiated by the DPC. Consumer organisations argue that the consent to “share” users’ location data was not freely given and consumers were tricked into accepting privacy-intrusive settings. Such practices are not compliant with the EU’s data protection law GDPR.
The irish data protection authority will now have to establish, whether Google has a valid legal basis for processing the location data of its users and whether it meets its obligations as a data controller with regard to transparency.
The investigation will add further pressure to Google. Google is facing a handful of investigations in Europe. The DPC has already opened an investigation into how Google handles data for advertising. That investigation is still ongoing. If Google is found not complying with the GDPR, the company could be forced to change its business model.
However, there are still a number of steps before the Irish DPC makes a decision including the opportunity for Google to reply.
27. September 2019
In a landmark case on Tuesday the Court of Justice of the European Union (CJEU) ruled that Google will not have to apply the General Data Privacy Regulation’s (GDPR) “Right to be Forgotten” to its search engines outside of the European Union. The ruling is a victory for Google in a case against a fine imposed by the french Commission nationale de l’informatique et des libertés (CNIL) in 2015 in an effort to force the company and other search engines to take down links globally.
Seeing as the internet has grown into a worldwide media net with no borders, this case is viewed as a test of wether people can demand a blanket removal of information about themselves from searches without overbearing on the principles of free speech and public interest. Around the world, it has also been perceived as a trial to see if the European Union can extend its laws beyond its own borders.
“The balance between right to privacy and protection of personal data, on the one hand, and the freedom of information of internet users, on the other, is likely to vary significantly around the world,” the court stated in its decision.The Court also expressed in the judgement that the protection of personal data is not an absolute right.
While this leads to companies not being forced to delete sensitive information on their search engines outside of the EU upon request, they must take precautions to seriously discourage internet users from going onto non-EU versions of their pages. Furthermore, companies with search engines within the EU will have to closely weigh freedom of speech against the protection of privacy, keeping the currently common case to case basis for deletion requests.
In effect, since the Right to be Forgotten had been first determined by the CJEU in 2014, Google has since received over 3,3 million deletion requests. In 45% of the cases it has complied with the delisting of links from its search engine. As it stands, even while complying with deletion requests, the delisted links within the EU search engines can still be accessed by using VPN and gaining access to non-EU search engines, circumventing the geoblocking. This is an issue to which a solution has not yet been found.
27. August 2019
While other browser developers are critical of tracking, Google wants to introduce new standards to continue enabling personalized advertising. With the implementation of the “Privacy Sandbox” and the introduction of a new identity management system, the developer of the Chrome browser wants to bring browsers to an uniform level in processing of user data and protect the privacy of users more effectively.
The suggestions are the first steps of the privacy initiative announced by Google in May. Google has published five ideas. For example, browsers are to manage a “Privacy Budget” that gives websites limited access to user data so that users can be sorted into an advertising target group without being personally identified. Google also plans to set up central identity service providers that offer limited access to user data via an application programming interface (API) and inform users about the information they have passed on.
Measures like Apple’s, which have introduced Intelligent Tracking Protection, are not in Google’s interest, as Google generates much of its revenue from personalized advertising. In a blog post, Google also said that blocking cookies promotes non-transparent techniques such as fingerprinting. Moreover, without the ability to display personalized advertising, the future of publishers would be jeopardized. Their costs are covered by advertising. Recent studies have shown, that the financing of publishers decreases by an average of 52% if advertising loses relevance due to the removal of cookies.
Based on these ideas, the discussion among developers about the future of web browsers and how to deal with users’ privacy should now begin. Google’s long-term goal is a standardization process to which all major browser developers should adhere. So far, Google has had only limited success with similar initiatives.
30. July 2019
In an attempt to settle a long-running litigation of a class-action case started in 2010, Google agrees to pay $13 million over claims that it violated U.S. wire-tapping laws. The issue came from vehicles used for its Street View mapping Project that captured and collected personal data from private wifi networks along the way.
Street View is a feature that lets users interact with panoramic and detailed images of locations all around the world. The legal action began when several people whose data was collected sued Google after it admitted the cars photographing neighborhoods for Street View had also gathered emails, passwords and other private information from wifi networks in more than 30 countries.
While the company was quick to call this collection of data a mistake, investigators found out that the capture of personal data was built and embedded by Google engineers in the software of the vehicles to intentionally collect personal data from accessed networks.
The new agreement would make Google to be required to destroy any collected data via Street View, agree not to use Street View to collect personal data from wifi networks without consent, and to create webpages and instructions to explain to people how to secure their wireless content.
Google had been asked to refrain from using and collecting personal data from wifi networks in an earlier settlement in 2013, which raises questions as to why it was necessary to include it in the current settlement as well.
18. July 2019
Google may face further investigations under the General Data Protection Regulation(GDPR), after unauthorized audio recordings have been forwarded to subcontractors. The Irish Data Protection Commission (IDPC) has confirmed through a spokesperson that they have received a data breach notification concerning the issue last week.
The recordings were exposed by the Belgian broadcast VRT, said to affect 1000 clips of conversations in the region of Belgium and the Netherlands. Being logged by Google Assistant, the recordings were then sent to Google’s subcontractors for review. At least 153 of those recordings were not authorized by Google’s wake phrase “Ok/Hey, Google,” and were never meant to be recorded in the first place. They contained personal data reaching from family conversations over bedroom chatter to business calls with confidential information.
Google has addressed this violation of their data security policies in a blog post. It said that the audio recordings were sent to experts, who understand nuances and accents, in order to refine Home’s linguistic abilities, which is a critical part in the process of building speech technology. Google stresses that the storing of recorded data on its services is turned off by default, and only sends audio data to Google once its wake phrase is said. The recordings in question were most likely initiated by the users saying a phrase that sounded similar to “Ok/Hey, Google,” therefore confusing Google Assistant and turning it on.
According to Google’s statement, Security and Privacy teams are working on the issue and will fully review its safeguards to prevent this sort of misconduct from happening again. If, however, following investigations by the IDPC discover a GDPR violation on the matter, it could result in significant financial penalty for the tech giant.
27. June 2019
US Senators Mark R. Warner (Democrats) and Josh Hawley (Republicans) want to know from Facebook, Google and Co. exactly how much the data of their users, measured in dollars and cents, is worth to them.
Last Sunday, the two senators announced their intention for the first time in a US talk show: Every three months, each user is to receive an overview of which data has been collected and stored and how the respective provider rates it. In addition, the aggregated value of all user data is to be reported annually to the US Securities and Exchange Commission. In this report, the companies are to disclose how they store, process and protect data and how and with which partner companies they generate sales with the data. All companies with more than 100 million users per month will be affected.
The value of user data has risen enormously in recent years; so far, companies have protected their internal calculations as company secrets. In addition, there is no recognized method for quantifying the value of user data; only when a company is sold or valued by means of an initial public offering (IPO) does it become obvious. In the case of the WhatsApp takeover it was $ 55 per user, in the case of Skype it was $ 200.
But one can doubt the significance of these figures. A further indication can be the advertising revenues, which are disclosed by companies per quarter. At the end of 2018, Facebook earned around $6 per user worldwide, while Amazon earned $752 per user. These figures are likely to rise in the future. “For years, social media companies have told consumers that their products are free to the user. But that’s not true – you are paying with your data instead of your wallet,” said Senator Warner. “But the overall lack of transparency and disclosure in this market have made it impossible for users to know what they’re giving up, who else their data is being shared with, or what it’s worth to the platform. […]” Experts believe it is important for consumers to know the value of their data, because only when you know the value of a good you are able to value it.
On Monday, Warner and Rawley plan to introduce the Designing Accounting Safeguards to Help Broaden Oversight And Regulations on Data (DASHBOARD) Act to the parliament for its first reading. It remains to be seen whether their plans will meet with the approval of the other senators.
7. May 2019
Google has announced on its blog that it will introduce an auto delete feature for web tracking history.
So far, users have the option to manually delete data from Google products such as YouTube or Maps. After numerous requests, however, Google follows other technology giants and revised its privacy settings. “We work to keep your data private and secure, and we’ve heard your feedback that we need to provide simple ways for you to manage or delete it,” Google writes on it’s blog.
Users will be able to choose a period for which the data should remain stored, lasting a minimum of 3 months and a maximum of 18 months. At the end of the selected period, Google will automatically delete the data on a regular basis. This option will initially be introduced for Location History and Web & App Activity data and will be available over the next few weeks, according to Google.
Google’s announcement came the day after Microsoft unveiled a set of features designed to strengthen privacy controls for its Microsoft 365 users, aimed to simplify its privacy policies.
On the same day, during Facebook’s annual developer conference, F8, Mark Zuckerberg announced a privacy roadmap for the social network.
