Google’s Android advertising ID targeted in GDPR strategic tracking complaint – TechCrunch
Now here is an interesting GDPR complaint: Does Google illegally track Android users in Europe through a unique advertising ID assigned to the device?
First of all, what is Android Advertising ID? By google the description to developers who create applications for its smartphone platform, it is – [emphasis added by us]
The advertising identifier is a unique identifier, user resettable Identifier for advertising, provided by Google Play services. It gives users better controls and provides developers with a simple, standard system to continue to monetize their apps. It allows users to reset their username or opt out of personalized ads (formerly known as interest-based ads) in Google Play apps.
Not so fast, said noyb – a European non-profit privacy group campaigning for regulators to enforce existing rules on how people’s data can be used – the problem with offering a tracking ID that can not be reset is that there is no way for an Android user not to be tracked.
Simply put, resetting a tracker isn’t the same as not being able to be tracked at all.
Noyb has now filed a formal complaint against Google under the European General Data Protection Regulation (GDPR), accusing it of tracking Android users through the advertising ID without legally valid consent.
As we said many, many, numerous times before, GDPR applies a particular standard if you rely on consent – as Google seems to be here, since Android users are asked to consent to its terms when setting up the device, but must agree to a resettable advertisement but cannot be deactivated IDENTIFIER.
Yet under EU data protection, for consent to be legally valid, it must be informed, limited in purpose and freely given.
Given freely means that there must be a choice (which must also be free).
So, the question arises, if an Android user cannot say no to an advertising id tracker – he can just keep resetting it (without any user control over previously collected data) – where is his free choice not to be tracked by Google?
“In essence, you buy a new Android phone, but by adding a tracking ID, they send you a tracking device,” Stefano Rossetti, privacy lawyer at noyb.eu, said in a statement on the complaint.
Noyb’s claim is that Google’s “choice” is “between tracking or Following tracking ”- which is therefore not a real choice not to be tracked at all.
“Google claims that users can control the handling of their data, but when it is put to the test, Android does not allow the removal of the tracking ID, ”he wrote. “This only allows users to generate a New Tracking ID to replace the existing one. This does not delete data that has been collected before, nor does it stop tracking in the future. “
“It’s grotesque,” Rossetti continued. “Google claims that if you want them to stop following you, you have to agree to a new follow-up. It’s like canceling a contract just on the condition that you sign a new one. Google’s system seems to structurally deny the exercise. user rights.
We reached out to Google to comment on the noyb complaint. At the time of writing, the company had not responded, but we’ll update this report if it contains any remarks.
The tech giant is under active GDPR investigation related to a number of other issues, including tracking user locations; and its use of personal data for online advertising.
The last formal complaint on its Android advertising ID was filed with the Austrian Data Protection Authority on behalf of an Austrian citizen. (The GDPR contains provisions that allow third parties to file complaints on behalf of individuals.)
Noyb says the complaint is partially based on a recent report from the Norwegian Consumer Council – which analyzed how popular apps frantically share user data with the behavioral advertising industry.
In terms of process, he notes that Austrian ODA may involve other European data observers in the case.
This is done as part of a ‘one-stop-shop’ mechanism in the GDPR whereby interested watchdogs liaise during cross-border investigations, with one of them usually playing the role of lead investigator (probably the Irish Data Protection Commission in any complaint against Google).
Under the European GDPR, data regulators have significant sanctioning powers, with fines of up to 4% of global annual revenue, which in Google’s case could be as high as ‘to 5 billion euros. And the possibility of controlling data processing is suspended or stopped. (A result that would likely cost a tech giant like Google significantly more.)
However, there has been a dearth of major fines since the regulation began to be enforced almost two years ago (exception: France’s data watchdog fined Google $ 57 million. dollars last year). Pressure therefore continues to build up on the enforcement – particularly on the Irish Data Protection Commission which deals with many cross-border complaints but has yet to render a decision in a series of cross-border cases involving a number. giants of technology.