Google Accused of Breaking European Privacy Law By Hoarding Personal Data of Potential Job Candidates

An anonymous reader shares a report: When Mohamed Maslouh, a London-based contractor, was assigned to enter data into Google's internal gHire recruitment system last September, he noticed something surprising. The database contained the profiles of thousands of people in the EU and U.K. whose names, phone numbers, personal email addresses and resumes dated back as far as 2011. Maslouh knew something was amiss, as he had received data-protection training from Randstad, the European human-resources giant that employed him, and was aware of the EU's five-year-old General Data Protection Regulation (GDPR), which remained part of British law after Brexit.

Under the law, companies in the European Union and U.K. may not hang onto anyone's personal data -- that is, information relating to any identifiable living person -- for longer than is strictly necessary, which generally means a maximum retention time measured in weeks or months. Google may now face investigations over potential violations of the GDPR, after Maslouh filed protected whistleblower complaints with the U.K. Information Commissioner's Office in November and with the Irish Data Protection Commission (DPC) -- which has jurisdiction over Google's activities in the EU -- in February.

Bad

[AmiMoJo]

This is pretty bad for Google. Gross negligence at best, it should have been really obvious to many people with access that the database was non-compliant.

Re:

[gweihir]

I say hit them with the hammer. Not the large one, just the 4% of annual turnover one. They richly deserve it. (The large hammer is to forbid them the processing of personal data of any kind.)

Re:

[Baron_Yam]

They'll pay their fine and next time they'll do a better job of vetting people so they only hire / contract with people who won't say anything.

What they won't do is stop collecting data, unless you put enough oversight in place that they can't even hold a meeting about it without getting caught.

That's a long time

[drinkypoo]

A few jurisdictions require you to keep job seekers' records on file for quite some time, in California it's four years. But AFAICT nobody requires you to keep them for a decade. I could see how [dumb] mistakes with compliance regions could result in four or five years, but not this... it has to be intentional.

Re:

[gweihir]

GDPR you can justify 3 monts, 6 months are dicey and a year is clearly illegal.

The truth is much worse:

[greytree]

When Joe Bloggs , a London-based contractor, was assigned to enter data into Google's internal gHire recruitment system last September, he noticed something surprising:

The database contained the profiles of thousands of people in the EU and U.K. including their name, address, phone number, details of all the search requests they had ever entered, their entire gmail address book, cookies dating back years and details of all the credit cards they had ever possessed.

Job

[dhaen]

I wonder if he's still got the contract...

Google Accused of Breaking European Privacy Law By

[pawelwrobel]

It seems to me that it's very important that there are regulations like GDPR that protect our private data. If Google actually violated these regulations, it should face the consequences for what it did. On the other hand, it's also a reminder to other companies to treat private data with care and in accordance with the law. Hopefully, the investigation will yield a positive result and help protect our personal data in the future.

Job applicants willingly gave them their data?

[Anon78906799]

Google makes it clear on applying you grant them all sorts of permissions to check up on you and ask people who know you there (it freaked me out and I bailed). There are other people at Google at least that privacy very very seriously.

Is such an opt out of GDPR grounds to retain your data?

Re: Job applicants willingly gave them their data?

[SLi]

No. You cannot require consent as a condition for a service. That's a very major point of GDPR. Consent must be freely given. This means that the person whose information is being processed must not be disadvantaged by declining. (You don't need consent to do the processing genuinely required by the service requested by the person whose information is being processed. Consent is only one or the four legal justifications for processing personal data.)

Re:

[war4peace]

Have you ever accessed a website which presents a pop-up requiring you to accept all cookies (with dark patterns for opting out of some, but not all cookies), before you even have the chance to see any content?
Yeah, plenty such websites out there.

Re:

[Njovich]

That's illegal. A small site will get away with it, but a company like Google won't.

Re:

[war4peace]

Oh, yeah?

I tried top websites by visitor count from Germany. I have not accessed the porn websites from that list, nor the general websites like Google, Facebook, Amazon. The list of gated websites, though, is pretty large:

https://www.bild.de/ [www.bild.de]
https://www.t-online.de/ [t-online.de]
https://web.de/ [web.de]
https://www.n-tv.de/ [n-tv.de]
https://www.gmx.net/ [gmx.net]
https://www.focus.de/ [focus.de]
https://www.spiegel.de/ [spiegel.de]
https://www.welt.de/ [www.welt.de] ...and so on. As a matter of fact, I was hard pressed to find websites which do NOT block you from viewing shit until you acc

Re:

[Njovich]

At politico I can do customize -> reject all pretty easily and the customize button is the same size as the accept button.

For the German ones, they mostly seem to use cookie paywalls, which some countries accept and most don't. I have no idea why a privacy authority would agree with such BS but it's a slightly different issue. So the topic was "Have you ever accessed a website which presents a pop-up requiring you to accept all cookies (with dark patterns for opting out of some, but not all cookies), bef

Re:

[war4peace]

I apologize, I picked an unfortunate way of expressing what I wanted to say, originally.

What I meant was: It's fine if a website presents a non-modal banner (usually at the bottom) notifying me about cookies and whatnot, with the option to accept all, customize, or close the banner (last option being equal to "reject all"). But when a website shows a modal window on top of content, effectively preventing me from consuming any content until I either "accept all" (always the easiest method of making that wind

Re:

[war4peace]

Hell, even Facebook is doing it.

Re:

[Njovich]

Not in my country, at Facebook I get equal buttons for 'decline' and 'accept' cookies.

Re:

[Carewolf]

Not in my country, at Facebook I get equal buttons for 'decline' and 'accept' cookies.

The biggest problem. Is that the sites pretend to not understand the rules and be retarded. So the the 'decline alll' include declining remembering the decision, so it will ask you over and over again until you accept. You have to click customize and agree to "store data on my device", otherwise it won't remember it.

Of course this stupidity is also 100% illegal, but it is taking a long time to sue literally everybody.

Lawyers + Subcontractors + ??? = Permanent record

[AnonymousHkr]

Any text-based data that goes into a permanent dossier (that you never get to see) doesn't exactly take a sea of data centers to store -- even for billions of human victims of Google's malice. What would it take for Google to work around these laws and add such data to a permanent dossier? Lawyers, subcontractors, anything else? Google, you are a rogue, malicious corporation that needs to be dismantled for the betterment of human society.

This news just in

[angularbanjo]

In a shock development that is rocking the data warehousing world to its foundations, Google has been found to be doing what it always does because no one can stop it. Film at 11.