Google Misses the Mark – Again

Google Misses the Mark – Again

Google Misses the Mark – Again - –


Remember words like ‘I don’t like saying “I told you so”, but I did tell you so.’? They’re annoying, aren’t they…
Yesterday a good few people in my network used various terms and words -some of which are not to be repeated here or anywhere- to direct my attention to a news item many of you may have missed. As per 29 March 2022, Google removed the ‘Web & App Activity’ controls from the admin control panel and splitting it into separate settings. So admins don’t control company-wide privacy settings anymore. Can you say WT…?!
More importantly, Search History will now live as a seemingly new but factually split/separated thing. As a result, Google has the guts to assume opt-in, default to automatically run Search History for every single user of a paid Workspace account (yes, even if previously as part of the Web&App Activity, you turned it off!), and basically track and save all user activity. Since the admin doesn’t control this for their employees across the company anymore, EVERY INDIVIDUAL USER MUST MANUALLY TURN IT OFF.
I don’t like talking in bog letters, but before reading on: if you use Google Workspace and you value your privacy even a teeny tiny little bit, pause the read and turn it off now. According to Google, here’s how.  For some reason, the rollout isn’t universal as some folks I know checked it and did not find that switch to turn it off, yet. The update may take place later, check frequently. The rest of the below text won’t go away, so go ahead and do it. While you’re at your activity page, check the rest too. There’s potentially a LOT you may want to see deleted. Here’s your chance. Now.

Thanks for getting back. Now assuming those bits and bytes are actually removed when you just hit the ‘delete’ button on data harvested so far about a dozen times (and seeing how good that is for the environment), I feel some old publications have to be dusted off to set the tone here. First off, I write about consent on and off. The basics are simple, one would say. In fact, it was one of the first GDPR focused publications I’ve done at Gartner (client paywalled and archived). In it, I wrote for example that
“The characteristics of consent are quite specific. For one, it should be freely given, indicating that there can be no coercion or pressure. This brings a complication in, for example, employee relations, where an employee might be afraid to lose his job when not consenting to a specific processing activity. (Note how this part has become quite relevant afterwards) […]
“Consent” in the GDPR requires the circumstances to include several conditions:

“By a clear affirmative act.” Silence or implied consent and prechecked boxes, then, are a thing of the past. The organization must ask outright for consent.

“Specific.” When the processing has multiple purposes, consent should be given for all of them. Obtaining separate consent is advised where the processing activities are not inherently related. Buying a pair of sunglasses in a web shop, for example, does not automatically lead to receipt of the daily newsletter from that moment on. The burden of proof — that consent was indeed obtained in a correct and explicit manner — lies with the data controller.

“(As an) informed and unambiguous indication of the data subject’s agreement to the processing of personal data.” For consent to be informed, the identity of the controller and the processing purposes should be provided. This requires use of plain language when providing the information the consent is based on. Likewise, member states have additional requirements for the protection of children (minors), as their consent may not be deemed valid.”

Google is making this very, very difficult. An optional setting, that is by default ‘on’, forcing their monitoring and tracking activities upon employees through their respective employer. And on that note, there is something important about data controller vs data processor. I have always said that
When it comes to personal data, the notion of data ownership is moot. The owner is after all the data subject. The best thing organizations can pursue is to control it.
In the same publication of 2017, I noted that “The GDPR references data controllers and data processors; these roles are a matter of definition rather than choice (see Art 4 GDPR). To determine the appropriate role for each processing activity, consult legal counsel. For the purpose of this document, readers should remember the following starting points:
A data controller: * Controls what personal data is processed, * Responsible for processing purpose (in other words, determines why that personal data is processed), * Responsible for the means of processing, * May create third-party agreements with data processors and subprocessors.
A data processor: * Uses data only as instructed by data controller, * May create subprocessor agreements as authorized by the data controller.
Organizations should be aware that they can occupy both roles in different processing activities. Using a cloud-hosting provider’s services, an organization may be a data controller and the hosting provider the data processor as it stores and processes the data on behalf of the data controller. However, when deploying EU-based employees, the cloud provider may be the controller for the HR activities. ”
And this is where things go a bit more wrong. Guidance on how to select and control data processors, or how to scrutinize a data processor agreement, and such more I have written about in the year that followed for example. But fortunately, there’ more good stuff coming from the Dutch like myself. For example, a recent DPIA on professional use of Teams with SharePoint Online, OneDrive and Azure AD. And previously, in December 2018, the Dutch MoJ commissioned the Privacy Company to conduct a review of the O365 set they were using. Only to find that Microsoft was silently processing 70-odd pieces of telemetry on each individual user. Something they later adjusted. And yet, this shows Google should have known better.
When processing information outside the instructions of a data controller, the data processor by definition rather than choice becomes the data controller themselves for that processing. Just as Microsoft was wrong for being insufficiently transparent about the monitoring for analysis and improvement of the product, Google is dead wrong (because by now everyone should know better) missing the most fundamental elements of privacy by design and by default.
Or, to reference just another piece I should probably dust off: