It is now one year since BEUC and ten of its members alerted their national data protection authorities about Google’s ‘Fast Track to Surveillance’ when consumers create a Google account.
We found that Google was using deceptive design, unclear language and misleading choices when consumers signed up to a Google account in order to carry out more extensive and invasive data processing. We found evidence the tech giant is breaching the EU’s General Data Protection Regulation (GDPR) and asked authorities to intervene.
This issue matters. Lots of consumers have a Google account. You get pushed to create a Google account when you use all kinds of the company’s online services like Google Maps or YouTube, or when you buy an Android phone, on the pretense that Google can better personalise its recommendations to you. But Google also forces you to create an account in other cases, like if you want to download apps from its Play Store.
During this sign-up process, you have to go through endless screens and ambiguous information to be able to protect your privacy as much as Google will allow you, whereas in one click you can hand away all your data to serve the company’s interests and get placed on a fast track to surveillance. This is contrary to what the law stipulates: privacy-friendly settings must be the default settings from the start.
What has happened in the last year?
Since last year, some of the consumer groups participating in the action heard back from their authorities who acknowledged receipt of the complaints or mentioned the Irish Data Protection authority was responsible to lead the case.
But since then, nothing. Zilch. Not a sound.
So while we wait, consumers are still facing an unfair, uphill struggle to protect their data when they sign up to a Google account. How many millions more have signed up to a Google account since?
Unfortunately, this lack of progress doesn’t come as a big surprise. Our previous set of complaints against Google, for the way the company tracked its users’ locations, was filed with data protection authorities in November 2018, and we still don’t have a decision more than four and a half years later. As good as the GDPR might be on paper, its enforcement against big tech companies has been too weak.
Here’s what needs to change
It doesn’t need to be this way. Cross-border enforcement must be improved; bottlenecks and waiting times cut down.
And the good news is that the European Commission, under pressure from some data protection authorities, the European Data Protection Board and civil society groups, will soon propose to harmonise some procedural rules in cross-border border cases of the GDPR.
We have already outlined how they should do that. A complainant (consumer) should have the same procedural rights as the company under investigation. At the moment, in some countries, the complainant does not get access to important information or have a right to be heard in the way the defendant does.
We also believe that data protection authorities in different countries should mutually recognise the admissibility of a complaint and the organisations who represent the individuals once the authority that received the complaint has done it. There is no need for other authorities involved in the case to repeat this exercise. It is a waste of time and resources, particularly when these exercises happen months after the complaint was lodged.
Let’s hope the Commission follows our advice! We stand ready to help EU legislators solve the problems identified. That will be a way to get speedier and more effective enforcement of people’s rights under data protection law and to create a level playing field for the companies that do respect the GDPR, while those that do not are not able to get away with it.
In the meantime, we urge data protection authorities to speed up their investigations and make sure consumers get the protection they are entitled to. The Fast Track to Surveillance that Google has set up with its account sign-up is neither fair nor acceptable. Big Tech companies like Google should not be able to get away with trampling on people’s rights to privacy and personal data protection.