Where does responsibility lie – and what initiative may a national data protection authority take – when a company has potentially breached consumer privacy protections guaranteed under the new General Data Protection Regulation?
Those questions were not immediately answered following reports last week that Google – which stores data for European users in its big Irish data centres – offered less-than-transparent controls to people who wish to disable location tracking by the company. But they should have been.
Last week, I wrote about the damning Associated Press report that indicated that Google continues to collect revealing location-based data through users' Android phones and via Google Maps on the iPhone, even when users of those devices and services believe they have turned off location tracking.
Many feel this violates GDPR, including Daragh O'Brien, a GDPR expert and managing director of Dublin information management consultants Castlebridge. But the office of the Irish Data Protection Commissioner (ODPC) questioned on Twitter the statement from him quoted in my column, that Ireland would be Google's lead regulator.
It also said that any investigation involving Google's Android operating system would be handled by France because a complaint (unrelated to the new report) had already been filed in that jurisdiction by privacy activist Max Schrems's organisation, noyb. eu/">noyb.
ODPC spokesman Graham Doyle later told me that technically the Irish ODPC is not officially the lead regulator for Google, because while Google has indicated that it will select Ireland as its primary EU regulator under the GDPR's 'one stop shop' mechanism, the company has not yet completed the needed administrative work.
Doyle noted that Irish citizens could file a complaint with the ODPC here too, however.
Primary regulator choice
But these responses raised further questions in my mind.
First, why would all complaints about Android need to be handled by the French Data Protection Authority (DPA) simply because one initial complaint – whether related or not – was filed there? Second, surely companies should have registered their primary regulator choice by May 25th, the implementation date for GDPR?
And finally, why hadn’t the Irish ODPC taken action on foot of that AP report – since a significant portion of the entire EU population must be affected, given widespread use of Android handsets and Google Maps? Did it actually have to await a user complaint?
I asked Simon McGarr, director of Data Compliance Europe and solicitor for privacy activist Digital Rights Ireland, to look at these elements. He began by noting that companies had the option of selecting a primary regulator under GDPR, and could do so at any time, but did not need to.
However, from a company perspective, choosing a primary regulator makes sense because it removes an element of uncertainty – never knowing which regulator might handle a given complaint.
Second, he stated – and Doyle separately clarified and confirmed to me upon further internal consultation – that complaints about Android do not need to go in the first instance to France.
And, in line with another point made to me by McGarr, I’d argue that the Irish ODPC would be Google’s de facto primary regulator, regardless of any outstanding paperwork or even if Google chose a different regulator. That’s because all the data at the centre of any potential dispute is on Irish soil, meaning any complaint filed elsewhere is inevitably going to involve the Irish ODPC.
The larger question of what proactive powers Irish data protection commissioner Helen Dixon could bring to bear – even in the absence of a complaint – interested me most.
McGarr noted: “The DPC has both all the powers and the competency required under [GDPR] article 55 to investigate a clear risk to the rights and freedoms of individuals in Ireland, whether it receives a complaint or not.”
An additional element of the legislation, article 122, acknowledges that investigations into potential breaches can come from complaints, or from the DPA’s own investigations, McGarr said.
“This should include handling complaints lodged by a data subject, conducting investigations on the application of this regulation and promoting public awareness of the risks, rules, safeguards and rights in relation to the processing of personal data.”
And just as I finished this discussion with McGarr, Doyle contacted me again to state that the ODPC had indeed taken the initiative at the start of last week of “making enquiries” to Google about the report’s findings, even though a formal complaint had not been filed.
That’s commendable and needed initiative, and – given the international scale of this controversy – should be followed immediately by launching a formal investigation, if that has not already been done.
In the face of these powerful corporate giants, the ODPC is always going to be David up against Goliath. In this case and in others down the line, Helen Dixon will need to show her mettle in this way, and act with every GDPR tool she has at her disposal.