Now here’s an interesting GDPR complaint: Is Google illegally tracking Android users in Europe via a unique, device-assigned advertising ID?
The advertising ID is a unique, user-resettable ID for advertising, provided by Google Play services. It gives users better controls and provides developers with a simple, standard system to continue to monetize their apps. It enables users to reset their identifier or opt out of personalized ads (formerly known as interest-based ads) within Google Play apps.
Not so fast, says noyb — a European not-for-profit privacy advocacy group that campaigns to get regulators to enforce existing rules around how people’s data can be used — the problem with offering a tracking ID that can only be reset is that there’s no way for an Android user to not be tracked.
Simply put, resetting a tracker is not the same thing as being able to not be tracked at all.
noyb has now filed a formal complaint against Google under Europe’s General Data Protection Regulation (GDPR), accusing it of tracking Android users via the ad ID without legally valid consent.
As we’ve said many, many, many times before, GDPR applies a particular standard if you’re relying on consent — as Google appears to be here, since Android users are asked to consent to its terms on device set up, yet must agree to a resettable but not disable-able advertising ID.
Yet, under the EU data protection framework, for consent to be legally valid it must be informed, purpose limited and freely given.
Freely given means there must be a choice (which must also be free).
Thus the question arises, if an Android user can’t say no to an ad ID tracker — they can merely keep resetting it (with no user control over any previously gathered data) — where’s their free choice to not be tracked by Google?
“In essence, you buy a new Android phone, but by adding a tracking ID they ship you a tracking device,” said Stefano Rossetti, privacy lawyer at noyb.eu, in a statement on the complaint.
noyb’s contention is that Google’s ‘choice’ is “between tracking or more tracking” — which isn’t, therefore, a genuine choice to not be tracked at all.
“Google claims that users can control the processing of their data, but when put to the test Android does not allow deleting the tracking ID,” it writes. “It only allows users to generate a new tracking ID to replace the existing one. This neither deletes the data that was collected before, nor stops tracking going forward.”
“It is grotesque,” continued Rossetti. “Google claims that if you want them to stop tracking you, you have to agree to new tracking. It is like cancelling a contract only under the condition that you sign a new one. Google’s system seems to structurally deny the exercise of users’ rights.”
We reached out to Google for comment on noyb’s complaint. At the time of writing the company had not responded but we’ll update this report if it provides any remarks.
The latest formal complaint over its Android ad ID has been lodged with Austria’s data protection authority on behalf of an Austrian citizen. (GDPR contains provisions that allow for third parties to file complaints on behalf of individuals.)
In terms of process, it notes that the Austrian DPA may involve other European data watchdogs in the case.
This is under a ‘one-stop-shop’ mechanism in the GDPR whereby interested watchdogs liaise on cross-border investigations, with one typically taking a lead investigator role (likely to be the Irish Data Protection Commission in any complaint against Google).
Under Europe’s GDPR, data regulators have major penalty powers — with fines that can scale as high as 4% of global annual turnover, which in Google’s case could amount to up to €5BN. And the ability to order data processing is suspended or stopped. (An outcome that would likely be far more expensive to a tech giant like Google.)
However there has been a dearth of major fines since the regulation began being applied, almost two years ago (exception: France’s data watchdog hit Google with a $57M fine last year). So pressure is continuing to pile up over enforcement — especially on Ireland’s Data Protection Commission which handles many cross-border complaints but has yet to issue any decisions in a raft of cross-border cases involving a number of tech giants.