Austrian Citizen Files GDPR Legal Complaint Over Android Advertising ID (theregister.co.uk) 43
An anonymous reader quotes a report from The Register: Privacy pressure group Noyb has filed a legal complaint against Google on behalf of an Austrian citizen, claiming the Android Advertising ID on every Android device is "personal data" as defined by the EU's GDPR and that this data is illegally processed. Based in Vienna, Austria, Noyb is a nonprofit founded by Max Schrems, a lawyer and privacy advocate, to focus on "commercial privacy and data protection violations." It says that "the core task of the office is to work on our enforcement projects and to engage in the necessary research for strategic litigation."
The complaint against Google, which was filed with the Austrian Data Protection Authority, is based on the claim that Google's Android operating system generates the advertising ID without user choice as required by GDPR. "In essence, you buy a new Android phone, but by adding a tracking ID they ship you a tracking device," said Noyb lawyer Stefano Rossetti. [...] The complaint can be viewed here [PDF] and raises key questions about privacy, choice, and tracking. It states that the complainant (the name is redacted) completed a Google contact form to withdraw consent to use of the advertising ID (if consent had been given, which is disputed), and to object to its processing. Article 7 of the GDPR states that "the data subject shall have the right to withdraw his or her consent at any time." Article 21 is a "right to object at any time to processing of personal data concerning him or her" for marketing and profiling, following which the law states that "the personal data shall no longer be processed for such purposes."
The complaint says that there is no opt-in "consent button" for the advertising ID. Although users have to agree to the general Google privacy policy, according to the complaint this consent "was neither informed, specific (the data subject has to agree to all Google services in a single step), nor free (the user cannot use a 800-euro phone without agreeing)." [...] The complaint requests that Google is ordered to "permanently delete the advertising ID", provide access to the data collected, and be fined based on various GDPR breaches.
The complaint against Google, which was filed with the Austrian Data Protection Authority, is based on the claim that Google's Android operating system generates the advertising ID without user choice as required by GDPR. "In essence, you buy a new Android phone, but by adding a tracking ID they ship you a tracking device," said Noyb lawyer Stefano Rossetti. [...] The complaint can be viewed here [PDF] and raises key questions about privacy, choice, and tracking. It states that the complainant (the name is redacted) completed a Google contact form to withdraw consent to use of the advertising ID (if consent had been given, which is disputed), and to object to its processing. Article 7 of the GDPR states that "the data subject shall have the right to withdraw his or her consent at any time." Article 21 is a "right to object at any time to processing of personal data concerning him or her" for marketing and profiling, following which the law states that "the personal data shall no longer be processed for such purposes."
The complaint says that there is no opt-in "consent button" for the advertising ID. Although users have to agree to the general Google privacy policy, according to the complaint this consent "was neither informed, specific (the data subject has to agree to all Google services in a single step), nor free (the user cannot use a 800-euro phone without agreeing)." [...] The complaint requests that Google is ordered to "permanently delete the advertising ID", provide access to the data collected, and be fined based on various GDPR breaches.
I'd love to see it, but this will never happen. (Score:1)
Their business plan would implode upon itself overnight if the world's distributed justice systems all woke up to how truly fucking illegal and usurious it all is.
Re: (Score:2)
Their business plan would implode upon itself overnight if the world's distributed justice systems all woke up to how truly fucking illegal and usurious it all is.
Just because you don't like the law, or the law may be unjust doesn't make it illegal.
Re: (Score:3)
Their business plan would implode upon itself overnight if the world's distributed justice systems all woke up to how truly fucking illegal and usurious it all is.
Just because you don't like the law, or the law may be unjust doesn't make it illegal.
Well, maybe the point he was trying to make is that there is no law since this is a relatively new field of activities. We'll see how this checks out with GDPR since this is pretty new as well.
When there is no law against it, of course it's legal!
Re: (Score:2)
There is plenty of law, especially over electronic privacy in the EU. There are also now decades of precedent in every civilized nation about usage agrreements for electronic goods. The question then is not whether there is law, but whether the law applies in this particular case, a point which many companies and many purchasers wind up disagreeing about.
Re: (Score:1)
Re: (Score:2)
I'd like to subscribe to your mailing list.
Re: (Score:2, Interesting)
I don't see how. All the tracking really gives Google is the ability to target specific ads at the individual level. Which allows them to do variable pricing to its customers (ad folks). At best, all that banning would do is give you a random ad in the same ad space. Lets leave out the other possible changes like increased ad space or deceased Android funding or increased general ad rates, etc etc.
But even with this, Google still has a pretty good targetting system gleaned from various levels. GDPR doe
Re: (Score:1)
They can still collect what network you are on, what IP you have, what location you are at, what browser, what language, etc. None of these can be nailed down to a specific person and if they don't use it to generate a unique ID, then they are mostly in the clear.
The above is actually not correct.
Pieces of information that can be used, on their own or when combined with others, to identify you, are individually considered to be PII.
That specifically includes IP address.
And no, it doesn't matter whether you share the IP address with others, use NAT, or whatever. An incoming IP address is considered PII and needs to be treated accordingly.
Source: We already do, not because it's fun, but because we have to. Luckily, it's not hard.
You can reset it at will (Score:4, Informative)
I mean I can understand the complaint - Google doesn't make clear in the EULA for Android that this is present (although by now I think most people should know Google does this). But it's pretty trivial to remedy by yourself.
Re: (Score:3, Insightful)
You can reset it at will [ghacks.net]. Your device doesn't even need to be rooted.
I mean I can understand the complaint - Google doesn't make clear in the EULA for Android that this is present (although by now I think most people should know Google does this). But it's pretty trivial to remedy by yourself.
I don't think that's the point. People want to be able to buy an advertisement subsidized device at subsidized prices without the advertising.
Yes, I know that doesn't make sense, but with human nature, we tend to want our cake and to eat it to.
Re: (Score:3)
While I get what you are saying, GDPR was recently clarified to state that you cannot differentiate service based on acceptance/denial of privacy concerns. This means they cannot say hey $200 if you accept this advertising ID, $400 if you don't. Also Google does not even do this, they don't have an AD subsidized version vs a non-AD subsidized version (they might in the USA, but not in the EU that I have seen).
Re: (Score:3)
While I get what you are saying, GDPR was recently clarified to state that you cannot differentiate service based on acceptance/denial of privacy concerns. This means they cannot say hey $200 if you accept this advertising ID, $400 if you don't. Also Google does not even do this, they don't have an AD subsidized version vs a non-AD subsidized version (they might in the USA, but not in the EU that I have seen).
What I'm implying is that Google develops the operating system, and Google themselves are almost entirely advertisement funded. It's pretty unlikely they'd be able to spend so much time developing the worlds most popular OS if you denied them their major source of funding.
So no matter how you look at it, Google's products are paid for with ads one way or another.
Re: You can reset it at will (Score:5, Informative)
Sure, but that doesnâ(TM)t change the fact that their source of funding is illegal in the EU and Australia (and probably a bunch of other places) for the reasons stated:
* You canâ(TM)t decline the data collection and still get to use the device.
* The privacy policy doesnâ(TM)t give you the ability to opt into or out of data collection without agreeing to a bunch of other stuff.
* There is no way to later require google to delete all data they hold on you.
* There is no way to stop google ever collecting data on you again.
All of these things are requirements of EU law.
Re: (Score:1, Insightful)
That would be Austria, which is part of the EU last time I checked.
Australia bends over at the USA's whim so I don't think any of they have any effective laws against PII collection. (Note I said "effective," since Australia has lots of apparently toothless laws that are never enforced by its Privacy Commissioner.)
Re: (Score:2)
* You canâ(TM)t decline the data collection and still get to use the device.
* The privacy policy doesnâ(TM)t give you the ability to opt into or out of data collection without agreeing to a bunch of other stuff.
These two are not hard requirements of the GDPR. They are hard requirements only for access to normal public services, e.g. Going to a website, you need to be able to opt out. You're absolutely allowed to require data collection as a condition of using a product as part of terms of service.
* There is no way to later require google to delete all data they hold on you.
There is. It's just not accessible to Americans. Google provides EU citizens with the ability to delete their data associated with their ID.
* There is no way to stop google ever collecting data on you again.
That's not a requirement of the law. The requirement is that they don't collect d
Re: (Score:2)
But the GDPR doesn't address this at all. Its a long way from it. It only hits against collecting, storage, and sharing of personally identifiable information or information that could be used to generate such. It doesn't have anything at all about minimizing ad space. At best case scenario, it reduces Google to the same capability as bill board or on train ads. More general, but still targetted to locations or group types. Except Google can move or update that ad space on a daily basis.
Blame Forwarding Tactic (Score:2)
Re: (Score:2)
Who are these "people" of whom you speak? I don't want a phone subsidised by advertising. In fact I pay an obscene amount to get a Samsung phone with alternatives to Google apps for most things. But I still can't completely opt out of the nefarious Play Services sending data to the Google mothership, the advertising ID, and the rest of it. For the money I pay, the phone shouldn't need to be subs
Re: (Score:2)
Actually you can opt out of it tracking you for advertising. This a quote from the play store policies [android.com]:
Re: (Score:3)
Not sure how that helps. App has advertising ID calls home with ID. ID changes. APP advises ID has changed. Advertiser has new ID associated with old ID. Computers are great at keeping track of things like this.
What would kill this tracking is more control of our phones and the ability to erase junk off our phones.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
> it's pretty trivial to remedy by yourself.
You've missed one of the core principles of the GDPR, that people must take some action to opt into having their personal data tracked after they have been informed how the company wants to do that, and that companies can't take silence as consent.
It doesn't matter how easy it is to opt out of something. That the user is tracked without them taking any action is on the face of it a violation of the GDPR.
Re: user cannot use a 800-euro phone without agree (Score:5, Informative)
Given that the business practice that makes them cheaper isnâ(TM)t legal in the EU, that seems pretty reasonable.
Rests on reversability (Score:2)
The way the GDPR works, and this entire case, rests on if this advertising ID constitutes PII.
I find that doubtful. The only way this ID constitutes PII is if there is a reasonable way that one can determine an individual based on it.
That is not how these IDs work. Google doesn't tie this ID to a person.
Re: (Score:2)
It does count as PII. While you can reset it, it's tied to other identifying information in your phone, like IMEI. This is how they get targeted advertising to you (not like apps don't already ignore this and its settings and just try tracking you via IMEI and other identifying stuff to begin with.)
Re: Rests on reversability (Score:2)
Unless you have some evidence to the contrary, what you're saying is an assertion. There is no logical reason I can see why this ID would be affiliated to an IMEI... and actually since you can reset your ID at will, I can't see how that could be the case. Your IMEI is not sent to advertisers, apps can't even access it unless they request permission to make phone calls and you grant it.
Re: (Score:1)
"Unless you have some evidence to the contrary, what you're saying is an assertion"
Literally in every fucking page regarding Android Advertising ID, and even in the T&C (not that YOU actually read them, while I did.)
Can't be an assertion when a basic fucking Google search throws up all the ways AAID is tied to various phone identifiers, and has been known for at LEAST five years.
Pull your head out of the sand and get with modern times.
Re: (Score:2)
A persons actions and accounts tie this ID to a person even if Google says it doesn't tie the ID to a person. Here's a simple example. Joe clicks ad in app. App ties ID with link. Person buys product and discloses personal info. Now advertising ID is tied to personal information. If an ID can customize advertising it can be tied to a purchase.
Re: (Score:2)
Most location information can be linked with the MAC address of gf the device. IF not, it's linked through the advertiser's use of ad.doubleclick.net with enough metadata to identify most individuals: if the data is too anonymized to be tracked, it's not useful for "targeted advertising", which is actually personalized advertising. But they've modified the name to obscure how very personal it is.