ASUFIN has filed a complaint with the Spanish Data Protection Agency (AEPD) against Google on the grounds that it is in serious breach of the requirements of the General Data Protection Regulation (GDPR), the European regulation that binds all companies with regard to the processing of personal data.
It urges the Spanish body that oversees compliance with this regulation to take the facts into consideration and to impose, where appropriate, “proportionate and effective fines”, taking into account the potentially affected consumers, which are “all users of Google email accounts” and the “benefit potentially obtained by Google” due to the “preponderant position in the market and the seriousness of the infringements described”, according to the letter sent to the agency.
Specifically, the infringements detected and duly documented relate to the process of providing consent to the processing of personal data when opening a personal email account using Google’s services, i.e. Gmail.
The EU Regulation determines that the easiest and quickest procedure (the one that is offered in one click) should also be the one that offers “the greatest protection of the data provided by the user, the least intrusive processing and the least temporary retention of data”. At Google, however, “the opposite is true”.
In this quick registration procedure, the complaint explains, “there is virtually unlimited consent to the processing of: use of date of birth, age range and gender, to profile and offer advertisements and recommendations, as well as the registration of activity on Google, YouTube and Maps, for the purposes described (essentially, personalisation of advertisements)”.
Furthermore, Google does not provide the possibility to opt out of all these additional, unnecessary and excessive processing in one single step, but the procedure is lengthy, cumbersome and confusing in its language.
On the other hand, the manual procedure, which enables five steps, involves 10 clicks that lead to successive information panels that are unclear, incomplete and may mislead the user about the use and processing of the data. In its complaint, ASUFIN states that “The procedure is not transparent and involves excessive processing for the purposes intended by the user: to open and manage a mere email account.
ASUFIN has submitted this complaint to the competent Spanish authorities in coordination with the European consumer rights organisation, BEUC, of which it is a member.