In May 2019, Google announced that it was developing 'auto-delete' controls which are now being slowly rolled out. This functionality enables users to determine the storage period for specific data, such as location history and online activity ('Web and App Activity'). It was already possible to manually delete data before this but the new functionality automatically deletes the selected data once the chosen period ends. Is Google taking a step in the right direction with this?
Google under fire
For some time now, Google has been widely criticised for how it handles its users' personal data and privacy. Since the implementation of the General Data Protection Regulation ("GDPR"), this tech giant seems to have come under close scrutiny. For example, the CNIL (the French data protection authority), imposed a fine of EUR 50 million in January 2019, due to a lack of transparency, the provision of unclear and incomplete information on the processing of personal data, and non-compliance with the requirements for obtaining consent.
The Irish supervisory authority also initiated an investigation into the use of personal data, more specifically in the context of Google Ad Exchange. Among other things, the Irish supervisory authority is investigating whether Google is complying with the principles of transparency and data minimisation and is looking closely at its retention policy.
Especially since the enormous fine the French CNIL imposed, it has become patently clear that Google needs to implement quite a number of changes in its processes and systems if it wants to prevent any further fines.
Control over personal data
On its website, Google states that it developed this functionality to enable users to manage their personal data in a simple way. This was apparently due to feedback Google had received.
This is indeed the aim of the GDPR - for data subjects to have more control over their personal data. For example, the GDPR not only provides extensive rights for data subjects, such as the right to be forgotten and the right to information, but it also provides that processing operations must comply with various principles, such as transparency, minimisation and purpose limitation (Art. 5(1) GDPR).
Furthermore, the accountability obligation (Art. 5(2) GDPR), pursuant to which organisations must demonstrate that they have taken suitable and sufficient measures to comply with the GDPR, is of great importance. Not only are organisations required to establish written procedures and information on the processing of personal data, they must actually be able to comply with them too. For example, a Danish court recently imposed a fine on a company that had prepared a retention policy, but that still failed to remove the personal data it had processed within the set periods.
Storage limitation
In any case, this new tool appears to be an elaboration of the principle of 'storage limitation'. According to this principle, personal data may not be stored for longer than is required for the purposes for which the data was collected. In that context, however, the question can also be raised as to why the auto-delete functionality is not being applied in reverse. Personal data would then be retained for a standard period of 3 months, unless the user opts for the data to be retained for a longer period, with a view to user-friendliness. That would be a full - and accurate - elaboration of the storage limitation principle. After all, based on the current approach of the tool, it is apparent that it is not necessary to retain the personal data for a period exceeding 3 months.
Privacy by design and privacy by default
The foregoing would also link up with the principles of 'privacy by design' and 'privacy by default', also known as 'data protection by design and by default'. These principles mean that the controller must ensure that data protection is taken as a starting point when systems and procedures are being developed. What is more, these systems and procedures may only have a minimal impact on the privacy of data subjects.
The auto-delete functionality is partly in line with these principles. For example, it has been shown that it is possible to limit the impact on the privacy of users, at least with respect to the period during which the information on location history and online activity is stored. However, the principles of data protection by design and default are only partly met, since the user must change the settings himself. Also, the functionality only covers a small portion of the services Google offers. In that respect, it remains unclear whether Google will need the collected personal data at all for the purposes for which they were collected.
New standard?
With its auto-delete functionality, Google is taking a step in the right direction, but this does not mean it is now fully GDPR-compliant, of course. The question is, however: what are the consequences of this?
Will functionalities such as these - even if they only meet some of the GDPR's requirements - become the new standard? Or will authorities stick to their guns and impose fines anyway, as this still does not constitute full compliance? The future will tell how the relevant authorities handle this.
In May 2019, Google announced that it was developing 'auto-delete' controls which are now being slowly rolled out. This functionality enables users to determine the storage period for specific data, such as location history and online activity ('Web and App Activity'). It was already possible to manually delete data before this but the new functionality automatically deletes the selected data once the chosen period ends. Is Google taking a step in the right direction with this?
Google under fire
For some time now, Google has been widely criticised for how it handles its users' personal data and privacy. Since the implementation of the General Data Protection Regulation ("GDPR"), this tech giant seems to have come under close scrutiny. For example, the CNIL (the French data protection authority), imposed a fine of EUR 50 million in January 2019, due to a lack of transparency, the provision of unclear and incomplete information on the processing of personal data, and non-compliance with the requirements for obtaining consent.
The Irish supervisory authority also initiated an investigation into the use of personal data, more specifically in the context of Google Ad Exchange. Among other things, the Irish supervisory authority is investigating whether Google is complying with the principles of transparency and data minimisation and is looking closely at its retention policy.
Especially since the enormous fine the French CNIL imposed, it has become patently clear that Google needs to implement quite a number of changes in its processes and systems if it wants to prevent any further fines.
Control over personal data
On its website, Google states that it developed this functionality to enable users to manage their personal data in a simple way. This was apparently due to feedback Google had received.
This is indeed the aim of the GDPR - for data subjects to have more control over their personal data. For example, the GDPR not only provides extensive rights for data subjects, such as the right to be forgotten and the right to information, but it also provides that processing operations must comply with various principles, such as transparency, minimisation and purpose limitation (Art. 5(1) GDPR).
Furthermore, the accountability obligation (Art. 5(2) GDPR), pursuant to which organisations must demonstrate that they have taken suitable and sufficient measures to comply with the GDPR, is of great importance. Not only are organisations required to establish written procedures and information on the processing of personal data, they must actually be able to comply with them too. For example, a Danish court recently imposed a fine on a company that had prepared a retention policy, but that still failed to remove the personal data it had processed within the set periods.
Storage limitation
In any case, this new tool appears to be an elaboration of the principle of 'storage limitation'. According to this principle, personal data may not be stored for longer than is required for the purposes for which the data was collected. In that context, however, the question can also be raised as to why the auto-delete functionality is not being applied in reverse. Personal data would then be retained for a standard period of 3 months, unless the user opts for the data to be retained for a longer period, with a view to user-friendliness. That would be a full - and accurate - elaboration of the storage limitation principle. After all, based on the current approach of the tool, it is apparent that it is not necessary to retain the personal data for a period exceeding 3 months.
Privacy by design and privacy by default
The foregoing would also link up with the principles of 'privacy by design' and 'privacy by default', also known as 'data protection by design and by default'. These principles mean that the controller must ensure that data protection is taken as a starting point when systems and procedures are being developed. What is more, these systems and procedures may only have a minimal impact on the privacy of data subjects.
The auto-delete functionality is partly in line with these principles. For example, it has been shown that it is possible to limit the impact on the privacy of users, at least with respect to the period during which the information on location history and online activity is stored. However, the principles of data protection by design and default are only partly met, since the user must change the settings himself. Also, the functionality only covers a small portion of the services Google offers. In that respect, it remains unclear whether Google will need the collected personal data at all for the purposes for which they were collected.
New standard?
With its auto-delete functionality, Google is taking a step in the right direction, but this does not mean it is now fully GDPR-compliant, of course. The question is, however: what are the consequences of this?
Will functionalities such as these - even if they only meet some of the GDPR's requirements - become the new standard? Or will authorities stick to their guns and impose fines anyway, as this still does not constitute full compliance? The future will tell how the relevant authorities handle this.