EU Data Protection Bodies Take Google to Task for Data Transfer Practices

Data protection bodies across the EU are stepping up efforts to challenge the way Google handles personal data.

The Dutch government recently imposed new restrictions on the use of Google Chrome OS and the Chrome web browser in schools after concerns were raised about Google’s data privacy practices.

Officials fear that Google shares students’ personal data with advertisers, who use the information for purposes other than that for which it was originally processed.

It would be a violation of Article 5 of the GDPR (General Data Protection Regulation), which states that personal data must be collected for “specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes”.

The only exception to this requirement is if the information is used for archiving in the public interest, for scientific or historical purposes, or for statistical purposes.

 “Very serious” GDPR breaches

In addition to these complaints, the Netherlands Minister of Education Robbert Dijkgraaf and Minister of Primary and Secondary Education Dennis Wiersma co-signed a letter to the Dutch parliament outlining a range of cyber security and data protection issues among large tech firms.

The letter describes conversations between the Dutch government and Google, Microsoft and Zoom regarding data protection. The organisations reportedly gave assurances that future versions of its software would demonstrate greater transparency and compliance with the GDPR.

Additionally, Google vowed that a new version of Chrome will be released next year and address the Dutch government’s concerns.

The action follows the announcement from Spain’s AEPD (Agencia Española de Protección de Datos) that it intends to fine Google €10 million for a pair of “very serious” GDPR infringements.

Both incidents concern the way Google transfers EU residents’ data to the Lumen Project, an academic research venture based in the US.

The project is helmed by Harvard’s Berkman Klein Center and is supported by the Electronic Frontier Foundation. Its research involves collecting cease-and-desist letters regarding online activity and analysing how they affect free speech.

Google has contributed to the archive since 2002, following a request from the Church of Scientology to remove content in a bid to silence critics.

The AEPD found that Google’s involvement in the project breached individuals’ right to be forgotten. Its investigation revealed that the form users had to complete to remove their data was faulty and confusing.

Although the AEPD has little recourse against the Lumen Project, because it is based outside the EU, the organisation is believed to have honoured the data protection body’s request to delete the information of users who were found to have been included in its data without a legal basis.

The changing data protection landscape

The challenges to Google’s data protection practices comes amid major changes in EU data protection legislation. Earlier this year, the European Commission adopted the EU DGA (Data Governance Act), which contains rules designed to increase access to public sector data for the development of new products and services.

The DGA applies not only to personal data but to “any digital representation of acts, facts or information”. Its rules entered into force on 23 June and take effect in September 2023.

It follows the introduction of the Digital Services Act and the Digital Markets Act, which are designed to create a safer digital space that better protects individuals’ rights.

These legislations should act as a reminder of the importance of effective information security and data protection.

Although most mainstream reports of GDPR non-compliance have focused on large tech companies, they are not the only ones being targeted.

Everyone has a responsibility to process personal data transparently and use it responsibly. Failure to do so exposes organisations to data breaches and privacy violations, which could result in significant financial and reputational damage.

To meet the GDPR’s requirements, organisations must have experts on board who understand their legal requirements and who can identify problems that must be fixed. If you don’t already have qualified experts on board, it’s essential that you provide training to relevant employees.

Our Certified GDPR Foundation Training Course provides a comprehensive introduction to the Regulation and its requirements.

Delivered by an experienced privacy consultant, this training session is built on the foundations of our extensive practical experience delivering data protection support to clients.

The course is ideal for those who handle personal data on a regular basis and need an understanding of their data processing obligations. 

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.