Ireland’s Data Protection Commission (DPC) has opened a formal investigation into the processing of location data by Google and Tinder, after receiving a barrage of complaints from European consumer rights groups for more than a year.
The regulator announced the Google probe in a statement:
The issues raised within the concerns relate to the legality of Google’s processing of location data and the transparency surrounding that processing. … As such, the DPC has commenced an own-volition Statutory Inquiry, with respect to Google Ireland Limited, pursuant to Section 110 of the Data Protection 2018 and in accordance with the co-operation mechanism outlined under Article 60 of the GDPR. The Inquiry will set out to establish whether Google has a valid legal basis for processing the location data of its users and whether it meets its obligations as a data controller with regard to transparency,
Reportedly, the investigation into Google will examine the legality of how the tech giant processes location data and whether it is tracking people and selling that information in a transparent way.
The investigation into Tinder will look at how the dating app collects and processes people’s data and shares it with advertising partners.
The DPC says it will also be looking into whether Tinder has been correctly handling data requests from users. Acording to the GDPR, residents of European countries have several options regarding the way companies use their data. For example, they can request a copy of their personal information, or ask for their data be deleted entirely.
The investigation into Tinder follows the publication of a report by the Norwegian Consumer Council,
accusing Tinder, among other dating apps, for irresponsibly spreading sensitive user data. The regulator says it has received complaints from residents of Ireland as well as in other European Union countries.
Both Google and Tinder have stated that they will cooperate with the DPC’s investigations.
In a statement to TechCrunch, a Google spokesperson sais:
People should be able to understand and control how companies like Google use location data to provide services to them, … We will cooperate fully with the office of the Data Protection Commission in its inquiry, and continue to work closely with regulators and consumer associations across Europe. In the last year, we have made a number of product changes to improve the level of user transparency and control over location data.
Media company CNET noted, if the regulator finds Google and Tinder haven’t been fully compliant with GDPR, they could face fines of up to four percent of their total annual revenue in the previous year. As of this past January, the EU has imposed approximately $126 million in GDPR-related fines.
BEUC, an umbrella group for European consumer rights groups, said the complaints about “deceptive” location tracking were filed back in November 2018—several months after the General Data Protection Regulation (GDPR) came into force in May 2018.
It said the rights groups are concerned about how Google gathers information about the places people visit which it says could grant private companies (including Google) the “power to draw conclusions about our personality, religion or sexual orientation, which can be deeply personal traits.”
The complaints argue that consent to “share” users’ location data is not valid under EU law because it is not freely given —an express stipulation of consent as a legal basis for processing personal data under the GDPR — arguing that consumers are rather being tricked into accepting “privacy-intrusive settings”.
Commenting further in a statement, Monique Goyens, BEUC’s director general, also said: “Consumers should not be under commercial surveillance. They need authorities to defend them and to sanction those who break the law. Considering the scale of the problem, which affects millions of European consumers, this investigation should be a priority for the Irish data protection authority. As more than 14 months have passed since consumer groups first filed complaints about Google’s malpractice, it would be unacceptable for consumers who trust authorities if there were further delays. The credibility of the enforcement of the GDPR is at stake here.”