Ireland’s data regulator has announced new investigations into Google and MTCH Technology Services—the company behind dating app Tinder—over complaints users’ personal data is being misused in violation of the General Data Protection Regulation (GDPR).
Tuesday’s announcements mean the Irish Data Protection Commission now has 23 active investigations into Big Tech firms (out of a total of 63 complaints)—two of which center on Google. Other firms being probed include Whatsapp, Twitter, Apple, Instagram, and LinkedIn.
The latest probe into Google stems from the search engine’s processing of users’ location data and whether the company is processing this data legally and transparently with users’ informed consent.
The complaints came from several consumer organizations across the European Union that want the Irish DPC—in its role as lead data supervisory authority for Google—to establish whether the search engine has a valid legal basis for processing the location data of its users and whether it meets its obligations as a data controller with regard to transparency.
Last May the regulator launched its first investigation into Google over whether its adtech operations were compliant with the GDPR, particularly regarding the use of personal data to manage targeted online advertising through its Ad Exchange service.
The investigation into Tinder to “identify thematic and possible systemic data protection issues” comes as the number of individual complaints into how the app leverages users’ personal data has risen.
Last month a report released by the Norwegian Consumer Council found app developers are sharing highly personal information with adtech firms as part of their business model, despite the risk of violating tough privacy rules, the prospect of being hit with hefty fines, and the possibility of losing consumer trust and damaging their brands.
Tinder was one of the 10 apps found to be transmitting GPS location and sensitive personal data without users’ consent not only to other dating apps owned by MTCH but also to third parties involved in advertising and/or behavioral profiling, as well as to Google and Facebook.
If the GDPR complaints are upheld—which would be the first in Ireland—it could result in a multi-billion-euro penalty for Google and a multi-million-euro fine for MTCH. Tinder did not reply to a request for comment, but Google said in a statement: “People should be able to understand and control how companies like Google use location data to provide services to them. We will cooperate fully with the office of the Data Protection Commission in its inquiry, and continue to work closely with regulators and consumer associations across Europe. In the last year, we have made a number of product changes to improve the level of user transparency and control over location data.”
Experts do not expect a quick turnaround to the probes. Ryan Dunleavy, partner and head of media disputes at law firm Stewarts, points out that while “it is commendable that the Irish Data Protection Commissioner is willing to step forward and challenge these large Big Tech firms,” the regulator’s €17 million ($18.7 million) budget pales in comparison to Google’s $130 billion in ad revenue last year. “Google has generally tended to fight hard in regulatory investigations, and indeed civil court claims against it, so it will be interesting to follow where this latest investigation goes,” he adds.
Furthermore, due to the number of complaints, as well as Ireland’s status as the regulator of choice for Big Tech firms, the Irish DPC is currently swamped with work. According to research by law firm DLA Piper, Ireland is ranked second in Europe (after the Netherlands) for data breach notifications. In the first year of the GDPR coming into effect, the Irish DPC received almost 6,000 notifications of data breaches and has concluded in 96 percent of cases that a breach occurred. That amounts to a lot of paperwork to sift through.
As a result, “the huge amount of complaints being filed there is likely to explain why it could take longer for responses to occur,” says Joseph Carson, chief security scientist at technology firm Thycotic. “Such complaints and cases will take months or longer to investigate so Ireland’s approach will likely set a trend on how the future EU GDPR complaints process will be handled across the EU for major companies.”