AP does not have to investigate Google from the judge
The Dutch Data Protection Authority is not required to investigate possible violations of European privacy legislation. The judge does not consider the investigation necessary, because the Irish regulator is examining the case. The Consumers’ Association says it is disappointed with the ruling.
The interest group writes this in a press statement.
Consumers’ association angry that Google secretly collected location data for years
To start this case, we have to go back to 2018. That year, the Consumers’ Association filed a complaint with the Dutch Data Protection Authority about what Google does with location data. Location data can be linked to special personal data. For example, if Google finds that someone regularly visits the mosque, that says something about his religious conviction. The same goes if someone regularly goes to the gay bar, or can be found at the headquarters of a political party.
The Consumers’ Association also criticized the way in which the American tech company collects location data. In the settings menu of Android, the operating system of Google, you can indicate via the Location tab that you do not want to share data about your location with Google. However, it is not enough to end Google’s data collection practices. Users must also disable Web & App Activity elsewhere in the settings menu.
This was completely unclear to many in 2018. The Consumers’ Association, together with seven other consumer organisations, subsequently filed a complaint with the Dutch Data Protection Authority.
Irish regulator investigates privacy violations by Google
For two years, the regulator had still not made a decision on the matter. To enforce a decision, the interest group went to court at the end of 2020. Sandra Molenaar, director of the Consumers’ Association, found it “appalling” that the privacy watchdog had barely made a statement after two years. “At the national level, the AP is simply on the move, but it remains on its hands. And we hear nothing. Even simple questions about the process don’t answer us,” said Molenaar at the time.
The Dutch Data Protection Authority said it could do nothing in this matter. The one-stop-shop system enshrined in the European privacy law stipulates that the country where Google’s headquarters is located must take the lead in the investigation. That’s Ireland. The Data Protection Commission (DPC) is currently investigating possible privacy violations by Google. For that reason, the Dutch supervisor does not have to conduct its own investigation.
The judge ruled in favour of the Consumers’ Association on one point. The interest group is indeed an interested party in this matter. The Dutch Data Protection Authority stated that this was not the case because the Bond did not speak on behalf of the group of victims. The judge made mincemeat of this argument. According to the statutory objective, the Consumers’ Association stands up for a general and collective interest and in this context, with the factual activities mentioned, focuses in particular on the prevention of abuses in the field of consumer privacy, according to the judge.
Consumers’ association: ‘European supervision falls short’
Molenaar is not pleased with the judge’s ruling. “This is a setback for consumers. They have been forced to wait for a ruling from the Irish regulator, but they have been doing so for more than 3 years. And in the meantime, the violations go unpunished. That is extremely frustrating. The AP needs to do more to speed up that process. All the more so since Google has meanwhile been given every opportunity to communicate with the Irish regulator and thus exert influence. Consumers are not heard. The way in which European supervision is currently set up is really inadequate. We will therefore draw attention to this in the near future.”
There is a glimmer of hope for the Consumers’ Association. In June 2021, the European Court of Justice ruled that EU Member States may, under certain conditions, conduct their own investigations if a company may violate the GDPR rules. After all, the ‘lead supervisor’ (the privacy watchdog of the country where the head office is located) does not have to be the ‘lead authority, the judge said. The basic principle, however, is that the complainant first knocks on the door of the national supervisor of the country where the company is headquartered. If that does not work, for example, because the supervisor of that country refuses to conduct the conversation, the case can be submitted to the court.
Catch up on more articles here
Follow us on Twitter here