Google slapped with tiny fine over GDPR violations


The GDPR legislation arrived last year to much fanfare and spam email from every company you've ever interacted with, but we're only just beginning to understand the effect of it on how companies are punished for privacy breaches.

Google was slapped with a $57 million fine this week by French authorities for a 'misleading' Android onboarding process that doesn't make it clear what data is used, or that it'll be processed for advertising, let alone offering a way for the user to bypass agreeing to data sharing at all.

The complaint was filed all the way back in May 2018 ― on GDPR day, nonetheless ― by a non-profit called 'None of Your Business.' The ruling appears to have primarily focused on Google's obscuring of what the privacy policy really contained:

"When the data subject activated a new phone for the first time (a “Huawei Y6 2018 black”) he was forced to “agree” to the privacy policy and the terms. There was no option to use the phone without consenting."

It appears that French authorities have decided that Google's entire onboarding flow for Android is illegal under GDPR. First, it says that Google pushes users into accepting the terms and makes it difficult to find information about why it needs the data, burying it under up to five or six actions before it's surfaced.

Second, Google did not "sufficiently inform" the user what is going on, bundling services into one checkbox (Search, YouTube, Assistant, etc) and, by default burying the acceptance of advertising under a "more" button as a default-enabled option.

This is a fairly big fine in the context of history, but a tiny ding to a company worth billions, given the provisions that GDPR makes for up to four percent of global revenue in cases like this. But, while I think that Google should improve its onboarding process for Android, I'm not convinced that adding an array of checkboxes for users to manually agree to, for each and every service, is a positive step forward. 

As we've seen with the cookie ruling, GDPR on top of that was a recipe for sites popping boxes all over your screen, all day long. I believe the law had good intent, but it's resulted in an awful experience online on a daily basis in Europe, and there has to be a better way that doesn't end up burdening the user with 20 boxes to check ― which they'll inevitably just breeze through instead.

Google appears to have been caught off-guard by the news, as well, with no announcement or comeback to the ruling outside of a short comment that it's "studying" the ruling and is committed to privacy and control. It's hard to imagine what might come of this, especially given how many millions of Android devices are in the wild today.

Will Europe begin getting region-specific checkboxes and options when setting up a device? Ultimately, that's probably what's going to happen, but given that Google is also tearing up the way it bundles Android in Europe over the antitrust ruling, perhaps it won't be so difficult.

Tab Dump

WhatsApp limits forwarding messages to 'curb rumors'
There's a huge problem brewing on Facebook's messaging platform in the shadows: misinformation and rumors spread like wildfire, unchecked, because it's hard to detect. Facebook is responding after more than a year of pressure by limiting forwarding messages to just five users, which doesn't seem that difficult to circumvent...

Uber wants to build autonomous scooters and bikes that drive themselves to customers
Ah, there's the dystopian headline of the day.

Reports suggest that voice assistants are used more in cars than anywhere else

Interesting read: Are we in the middle of a programming bubble?