Sweden hits up Google for GDPR answers over ‘location history’ privacy settings

Credit: ID 120795764 © Jakub Jirsák | Dreamstime.com

Google is facing fresh questions from Sweden’s privacy watchdog over whether its collection of location history from mobile devices complies with Europe’s new privacy laws. 

Just as France’s handed Google a record €50 million fine for violating the EU’s new General Data Protection Regulation (GDPR), Sweden’s data protection authority (DPA), Datainspektionen, sent Google a letter asking it to explain whether its consent forms in Location History privacy settings complied with GDPR. 

The letter to Google is part of Sweden’s investigation into a complaint made by a Swede on behalf of a consumer rights organization. The consumer raised concerns about Google data collection on his Android phone after US researchers found that turning off Location History on a smartphone doesn’t actually stop Google from storing location history. 

Researchers criticized Google for offering consumers a false option to turn off “Location History”. 

Currently, Google states that having Location History on benefits users by enabling “personalized maps, recommendations based on places you’ve visited, help finding your phone, real-time traffic updates about your commute, and more useful ads.”

Google says that “Location History is turned off by default for your Google Account and can only be turned on if you opt in” and that users can “pause” Location History whenever they want from Activity controls. But it also warns that if “Web & App Activity” is turned on, location data may still be saved to a Google Account, even if Location History is paused.” 

The complaint, from the Swedish Consumers' Organization, points to a paper from the Consumer Council of Norway, which accuses Google of “withholding or hiding information, deceptive design practices, and bundling of services” for Android users in order to “push or trick its users into being tracked”.   

It points out that while Google says Location History is opt-in, the company “nudges" users into enabling the feature “involuntarily” by requiring it be enabled for other services like the voice assistant Google Assistant. 

It also highlights that Google buries disclosures about data from Location History being used for advertising purpose and says there there is “no real option to turn off Location History once it has been enabled”. 

France’s DPA, CNIL, issued a €50 million fine to Google after largely agreeing with similar claims by a complainant that Android users were forced to agree with its privacy policy and that user consent was invalid because the user has no real choice in the matter or suffers as a consequence of it.  

The Swedish consumer advocacy outlines several problems common to the reasons CNIL issued its fine to Google, such as whether the company validly gained consent from users by bundling consent across several services. 

“The user is presented with a bundled “take it or leave it” option where there is no real choice. The scenario is similar if the user wants to use Google Assistant,” writes Sweden’s consumer advocacy. 

It argues Google is forcing users to consent and says its “concerns particularly relate to the use of location data for profiling and advertising purposes.”

Sweden's data protection authority is giving Google until February 1 to respond to its questions, which include why Google processed user information, how Google informed users of this processing, an explanation for why consent was valid, and any corrections to why claims it used "design patterns" to encourage consent.   

Tags privacyGoogleSwedenFranceGDPRCNIL

Show Comments