An association of users denounces Google for ignoring the data protection law in Gmail

Google adds a new complaint. Asufin, the Association of Financial Users, has reported Google to the Spanish Data Protection Agency for violating “seriously the requirements of the General Data Protection Regulation” and for “irregularities in the creation of Gmail accounts”.

The reason. According to Asufin, the reason for the complaint is that, during the quick creation process of a Gmail account (aka Google account), “the treatment of: use of date of birth, interval of age and gender, to profile and offer advertisements and recommendations, as well as the recording of activity on Google, YouTube and Maps, for the purposes described (essentially, personalization of advertisements)”.

hard to refuse. In the same way, it is considered that Google “does not facilitate the possibility of denying all these additional treatments” in an easy and simple way, but that the process is “long, cumbersome and with confusing language”. It is argued that, according to the European Regulation, the fastest process must offer “greater protection of the data provided by the user”, but in Google “the opposite happens”.

It is not a “mere email account”. Although Asufin states that “the procedure is not transparent and involves excessive processing for the purposes pursued by the user: to open and manage a mere email account”, the truth is that the user is not creating a “mere email account”, but a Google account. The Google account enables a Gmail account, yes, but it is also the one used to create a YouTube channel, log in to Google Maps or access the Google Play Store on an Android mobile. In any case, “proportionate and effective fines” have been requested, taking into account the users affected and the dominant position of Google.

Google’s response. From Xataka we have contacted Google to know its position and from the company they have exposed the following:

“We know that consumer trust depends on honesty and transparency, which is why we have staked our future success on making controls ever simpler and more accessible, and giving people clearer choices. Equally important, in do more with less data. We welcome the opportunity to engage on this important issue with consumer advocacy and regulators in Europe. People should be able to understand how data is generated from their use of internet services. If not they like it, they should be able to do something about it.” Google spokesperson

The complaint is reminiscent of Brave’s. A few months ago, Brave, the company behind the well-known web browser, sued Google for something similar. In a 59-page analysis, Brave explained how Google violates GDPR with “hundreds of ill-defined processing purposes and an unknown legal basis.” Article 5.1 of the GDPR specifies that the data must be “collected for specific, explicit and legitimate purposes and not processed in a way incompatible with those purposes”, but Google, according to Brave, is limited to sending a set of links to the privacy policy in which the hundreds of uses that Google actually makes are not specified, according to the indictment.

Privacy in the spotlight. In recent years, privacy has become (fortunately) one of the great obsessions of the technological world, which is why international organizations have started to look closely at the large companies that process data, such as Google and Amazon, to verify that they comply with current regulations.

There have already been fines. This situation has led companies such as those mentioned above to have been fined on occasion. Without going any further, in the summer of 2021 Amazon was fined €746 million for violating the GDPR (the highest fine of its kind to date) due to data collection practices. Google has also been fined on several occasions: €50 million for violating the GDPR in France, ten million in Spain for violating the right to be forgotten, €150 million for making it difficult to reject cookies in France and, of course, €4.34 billion. euros, the largest antitrust fine in history, for the Android case.

We don’t just talk about big tech. Although the biggest fined and the most notorious are those carried out by the big technology companies, the truth is that they are not the only ones. BBVA and CaixaBank, for example, have been fined five and six million euros, respectively, for similar reasons. Even Mercadona was fined 170,000 euros for refusing to give a client the surveillance video she requested.