New Data Privacy Concerns Raised Against Google in Austria
On August 24, 2022, it was announced that multinational technology company Google was being accused of violating the personal privacy of online users yet again. More specifically, the tech company is accused of breaching “a European Union court ruling by sending unsolicited advertising emails directly to the inbox of Gmail users, Austrian advocacy group noyb.eu said on Wednesday in a complaint filed with France’s data protection watchdog.” For context, the provisions of the EU’s General Data Protection Regulation (GDPR) mandate that businesses and organizations obtain the consent of data subjects prior to collecting or processing their personal data, as well as sending them targeted advertisements. Nevertheless, the ways in which businesses such as Google drive their targeted advertising campaigns places major tech companies at odds with the EU’s landmark data protection law.
Targeted advertising
The claims that had been made against the tech giant Google by the European Center for Digital Rights (NOYB), are based on targeted advertisements that were sent to the email addresses of data subjects within the country. While an email that contains an advertisement may seem like a harmless form of communication in the overall scheme of things, the ways in which personal data is defined under the numerous sections of the GDPR complicate the matter. To illustrate this point further, while the phrase personal information might commonly be associated with data such as social security numbers, driver’s license information, and financial details, among other things, the GDPR also classes GPS data, IP addresses, and “information derived from cookies, web beacons and tracking pixels” as personal data.
With all this being said, if a business such as Google wishes to deliver targeted advertising efforts to data subjects that currently reside in EU nation states, they must first obtain consent from these data subjects, as failing to do so effectively constitutes a violation of the GPDR. Likewise, the privacy violations such as those that have been alleged against Google by the advocacy group NOYB are indicative of a larger global conversation that is currently being had as it relates to personal data privacy, as few countries around the world have yet to enact privacy legislation that is as stringent or far-reaching as the GPDR, making it that more difficult for the everyday working person to protect their personal information and privacy.
Privacy legislation in the U.S.
To this last point, the current data privacy landscape that exists within the U.S. allows major technology companies such as Google to collect the personal information of data subjects with relative impunity. Instead, the data protection environment for U.S. citizens is comprised of a web of privacy regulations that apply to specific sectors of business, such as the Health Insurance Portability and Accountability Act (HIPAA) in the healthcare industry, and the Family Educational Rights and Privacy Act (FERPA) in the context of educational institutions, in addition to others. This being the case, American citizens have no legal right to forbid a company such as Google from sending them targeted advertisements via their email accounts, as the U.S. has yet to pass a comprehensive data protection law at the federal level.
Repeated violations of privacy
What’s more, Google’s own recent history as it concerns safeguarding the personal information of its respective users also gives perspective to the recent allegations that have been levied against the company by data privacy advocates in Austria. For instance, Google was also accused of utilizing the geolocation data of data subjects in a manner that was unauthorized in March of this year, including further GDPR violations that were alleged to have occurred in France, another EU member country. Due in large part to the enormous influence that major tech companies such as Google currently have in modern-day society, the ways in which companies such as Google can violate the privacy of their users remain endless. For instance, it is very difficult for a data subject within the nation of Austria to prevent seeing advertisements that have been paid for by Google when using their Gmail accounts, as this is an email service that is obviously also owned by the tech company, and the rules of the GDPR do not change this fact.
While a company with the global reach and influence of Google will inevitably violate the personal privacy of the world’s billion of citizens in one way or another at some point, it is still somewhat concerning that legislation such as the EU’s GPDR law is still not enough to prevent online users from being subjected to targeted advertising campaigns they have not voluntarily signed up for. As targeted advertising plays such an important role in the ways in which tech companies like Google generate revenue during a given fiscal year, they will do everything they possibly can to deliver these advertisements to as many online users as possible. Nevertheless, data subjects should have the right to control what information they see when they log into their own personal email accounts, irrespective of any legal requirements, or technological dependencies.