I wonder if this is an issue with Andrea's Google account. Maybe it's some setting that makes Google think he's from the UK. The text of the same paragraph, just as I received it from Google:
"We’re improving our Terms of Service and making them easier for you to understand. The changes will take effect on March 31, 2020, and they won’t impact the way you use Google services."
No mention of Google LLC. And, surprise! I'm an Italian citizen living in Italy.
Same issue. I am resident in Lithuania (but I am from the UK originally). When I view youtube (on a firefox browser I have never logged in to youtube with) I get the same message...
The copyright line at the foot of the email seems to be the most reliable way to see which legal entity your account falls under. It’d be nice if they were a little more clear about this.
UPDATE #2: after clicking here and there, I was able to find this https://pay.google.com/gp/w/u/1/home/settings
it looks like I had set a UK address once and completely forgot about it (I don't have any Android devices since 2014, that's why I forgot). Let's see if this will change anything.
How misinformation spreads on the internet 101. In future, it might be best to word this as a question. "Why does Google think I live in the UK?" Less click-baity and more faithful to the level of investigation you had conducted. Phrasing it as a question rather than an accusation might have even led you to the answer, something along the lines of, "well, have I explicitly told them I live in the UK? Let me check."
1) I don't live in UK
2) They threated me at UK resident
3) It's not possible to change the country directly from Google account, you have to go to Play Store (which I don't use it anymore)
4) It was impossible to contact them
You accused them of illegal behavior when they acted correctly on information you explicitly gave them. You seem to expect them to divine your implicit intent from non-payments related product usage data. But for all we know you have search history turned off, and anyway most privacy advocates would consider a join like that suspect at best. Then you publicized this false information about illegal behavior as broadly as you could. If that's not misinformation I don't know what is.
To be clear, I'm not saying you did so maliciously. Seems like an honest mistake on your part. Well, it did until you started digging in.
What do you mean "search history turned off"?
I'm not sure I understand.
Also, I'm not a UI/UX expert, but Google suite has "Account Settings" where I would have expected to be able to see/change my address, but the option is not there. I use a limited subset of Google products (GMail, Calendar, Youtube, Google Docs, Maps etc...) but the possibility of changing the address was in the only product I haven't used since 2014 (I checked it because someone else, on a forum, pointed me to it).
Now the address is updated, but I have no idea to check if my Data Controller will remain the same or it will be Google LLC.
They should give us an explicit option to check/set what Data Controller we have, not infer it from a single product (which in my case wasn't used anymore).
There is a toggle to control whether Google keeps track of your search history. I suppose there's a separate toggle for location history. If you have those turned off, Google does not record that data, and there would be no way for them to derive your location even in theory.
Even if you keep track of location history, Google can get it wrong anyway (I know, because I gave up the idea of having my home address in Google Maps a year ago - it doesn't seem to learn that I've moved out, even after updating my address in Google Pay).
I did, but it keeps reverting back to what it thinks it learned from my driving habits. Somehow, it doesn't seem to realize that I leave every morning from the same address and get back to it every evening.
Are you a lawyer? I mean I have all kinds of legal opinions but it's not really my expertise so I don't know how grounded they are in reality. I'm not even sure whether the gdpr specifies penalties for using the wrong data processor for an account provided the same controls are obeyed. I.e. if Google uses the same protections for UK residents as they had under GDPR, I'm not certain that there would be any penalties for accidentally misclassifying some users. Actually it would surprise me if there were.
What does the GDPR say google should use in preference to the last known mailing address?
This happened to me as well. EU citizen that lived for a while in the UK. What is different is that in Google Play I still have my home address not one in the UK. So even more strange.
There is obviously some ambiguity in the rules when people move around, and misclassifications can happen when, say, a Brasilian working for a US company in Switzerland picks up the neighbouring French wireless signal to log into their Asian VPN.
But it's really a non-issue. Google will make a good effort reducing such errors, and there aren't going to be legal consequences, nor wild leaving-Europe-for-good-drama as envisioned by some in this threat.
We all know that mistakes can happen. That is not the issue. The issue here is that there is no way to contact them and ask to fix this. I tried at least 3 or 4 times to contact them on Twitter (they are replying to other people for other issues, why not replying to me?) but I didn't have any luck with it.
I believe this is because GDPR rules apply regardless of nationality. I believe the law is location based (e.g. if you are a non UK/EU citizen but operate in the UK/EU, you'll have the law affect you. But if you were and EU citizen in say, South America, GDPR does not matter to you.
(happy to dig up some legal documents by Allen and Overy a well-known law firm if people want to read an analysis).
UPDATE: I've updated the article removing the "illegal" words. Since it doesn't seem to be clear if this is legal or not from their side, I think it's right to give it the benefit of the doubt.
(give CloudFlare a few minutes to update the cache, please)
Yeah this isn't illegal at all, in my other comment I expanded on it a lot more [1], but in essence the EU-US privacy shield is a thing, Google LLC is in it, and Brexit isn't really relevant.
let’s try to keep the technical mistake separate from the legal bit. I think their email is entirely legit if I was living in UK, but I don’t.
Also: honestly, I use Google Maps almost everyday. Even without asking me I think they have plenty of data on me to clearly see I’ve been living in Italy in the last year and half.
They were doing the same thing with the data of citizens of Ireland. Google is flirting with a massive fine here, in spite of all their PR efforts in and around Brussels. Have you seen Brussels airport lately? It is wall-to-wall 'Google is pro privacy' PR.
I'm willing to bet your data is hosted in multiple locations based on the service you're using. I don't think it's as simple as "Oh John Smith's account is hosted in Lenoir, NC".
Of course it is. It's called backups, and being prepared. If one data center burns down or is taken offline for other reason your data needs to be somewhere else.
No, but ideally (and especially for live failover datacenters) it should be in a different wide-area synchronous grid segment[1] to prevent issues in the event of large disasters. For datacenters in the EU that means having a backup outside the continental EU, which has meant Ireland or Great Britain if they want to stay within the EU jurisdiction. With the UK leaving that means just Ireland.
Other disaster recovery concerns also mean that having large geographical distance between datacenters is a good idea. This can lead to jurisdictional issues, which need to be addressed when building the system.
“ We continue to offer a range of international data-transfer mechanisms and we are certified under the EU - U.S. and Swiss - U.S. Privacy Shield frameworks, which are a legal mechanism to enable the transfer of personal data from the EEA and Switzerland to the US, where certified organizations guarantee to provide a level of protection in line with EU data protection law. We also offer EU-approved Model Contract Clauses for some services.
“We will continue to monitor the evolution of international data-transfer mechanisms under the GDPR, and are committed to having a lawful basis for data transfers in compliance with applicable data protection laws.”
I find it interesting they do not specify what data is internationally transferred, and that they “monitor the evolution” of mechanisms that are compliant with the GDPR, but never say they themselves are compliant. They only position themselves in the light of a Data Processor of the GDPR, but not the actual Data Controller (eg Google Search).
> Data protection supervision over private organisations such as companies is carried out by national data protection authorities. All EU Member States have at least one such authority.
> You can also take up your complaint with the courts in the relevant Member State.
> The EDPS is not competent for complaints against such private organisations; we can therefore only refer you to the relevant national authorities.
The authority in the country where the headquarters of the infringing company are will handle your complaint, as per GDPR article 56(1)¹. I don't know what happens if you complain to your local authority, they might just forward it themselves or maybe they'll tell you that you're in the wrong place. It shouldn't matter much since GDPR is EU-wide, so you can just send the same complaint to another address.
Note that I am not saying anything about the article, whether Google/Alphabet is wronging anyone, or calling for anyone to file a complaint. If you want to file a complaint based on what others said, this would be the place.
Firstly lets establish the rules using the ICO's (the UK's Data Authority) handy FAQ [1], a site providing a copy of the GDPR [2], the EU Commissions adequacy decisions page [3], the EU's privacy shield page [4], and the dedicated site for the privacy shield's Google LLC page [5]:
In short (yes, this is my idea of short):
* We, the UK, are currently in the transition period where EU rules still apply [1 - "What happens now that the UK has a withdrawal agreement?"]. This lasts until Jan 1st 2021 [6]
* We, the UK, are currently on track to have pretty much the same rules (cynicism allowed) [1 - "Will the GDPR still apply when we leave the EU"]
* So Brexit shouldn't change the legality (more cynicism allowed)
So are Google breaking the law?
* The GDPR has a provision allowing third countries and international organisations to process data presuming. It is Article 45 [2]
* The USA has been approved for this [3]. Years ago [4].
* Google LLC is approved under Privacy Shield [5]
So, there is no indication of anything illegal going on. Yes they are segmenting the data incorrectly and messaging an italian as though they are a brit. However the change would be perfectly legal was it to be done to the whole of the EU.
So, question here: If I move from outside EU to a country that is part of the block, does that mean that my Google Account will change the terms and mention something about GDPR?
AFAIK, it's not illegal (per GDPR) to process EU citizen data in data controllers if the individual is no longer in the EU.
_Edit_: Yes, I read the article. It looks like this person got this email notification because they had activity in London (per their resume on their website). That doesn't make the email illegal nor does it mean their activity in Italy is going to be on a non-EU controller.
The email implicitly states that it's for the UK only.
In the article it says that the individual is in the EU. They are a resident of Italy, which is in the EU, so they are within scope of GDPR.
However, I still don't think there's nothing illegal here. AFAIK & IANAL, It's not illegal to process EU resident data in data controllers outside of the EU (in the US).
I think they only read the part about the UK? Maybe?
However, the article still kinda vague to me, cause I got the same email, and I'm mos def in the US.
I'm so deeply inside the US that I have no idea how to check where google stores my data, and I don't really care cause the US has some bigger orange fish to fry. And pie to bake. Ajit Pie!!
Have you VPN'd into the UK or had activity there recently?
It says on your website that you worked in London.
This email is likely a courtesy notification because you had activity in the UK, a UK billing address, or something that put you there, meaning if you have activity there again, the controller will be different.
What this email does not mean is that your Italy based activity is going to a different controller, so how exactly is this illegal?
Even the article says I lived in UK/London, it's not a secret, but remains the fact I'm not a UK citizen :/
If US or EU would be the same, why mentioning brexit?
* You're receiving the email because you've had enough activity in UK to warrant a notification.
* Read literally, the email only talks about the UK, not Italy.
* If you go to the UK again, then your activity in the UK will be on a nom-GDPR handler.
There is nothing illegal here, and just because you're sitting in Italy at this moment doesn't mean Google is moving Italian activity handlers. The email is a notification about Uk only.
> If Google were to pull out of the EU overnight, there'd be death as a result
What? What kind of exaggeration is this? You think people died before Google existed or if you don't use Google? There are plenty of alternatives and even if not, how do you reach the conclusion that people will die if there is no Google in EU?
Also, I don't think either Google or the EU _need_ the other. Obviously EU has a incentive to consider it's citizens first while Google's incentive is to get as money for its shareholders as possible. If anything will happen, it would be that EU kicks out Google either by law or by enough fines so Google leaves.
>What? What kind of exaggeration is this? You think people died before Google existed or if you don't use Google? There are plenty of alternatives and even if not, how do you reach the conclusion that people will die if there is no Google in EU?
Google accounts for a substantial amount of EU electronic mail accounts, infrastructure (including infrastructure that involves medical devices), so on: Google shutting down would interrupt essential services.
It wouldn't put a "huge" dent in Google's profitability: EMEA accounted for something like 30% of Google's revenue last year, and now that the UK is no longer part of the EU, it's probably substantially less from the EU.
It's not 30% of Google's revenue. That's Google's revenue from the EMEA region (Europe, the Middle East, and Africa). The EU accounts for a portion of it, and less of a portion now that the UK's pulled out.
Why would Google pull out? Let's be clear about this: the EU is setting quite tame limitations on how Google uses the data they collect on EU citizens. Google doesn't need the EU in order to exist. But it would be incredibly difficult for them to justify to shareholders why they've given up an enormous market and essentially created an opportunity for a competitor to build scale freely (and then challenge them in their own market). As for getting the EU to 'kick Google out', that's not even a thing. Either Google abides by EU laws and it can operate in the EU or they can refuse in which case the EU can fine them, and seize their assets. If you think Google can operate credibly at scale in the EU with no infrastructure in the EU then I think you vastly underestimate the complexities of running an enormous website, let alone a complex multinational organisation with large engineering and sales centres in the EU.
Conveniently for Google, they're not obligated to justify anything to shareholders. The company founders control a majority of the only class of shares that has voting rights.
> I feel like people don't accept that Google needs the EU less than the EU needs Google.
It is this sort of reasoning that will get Google slapped around. The whole idea that some corporation's interests or might trumps that of a continent with 300+ million people and a very substantial part of the world economy and Google's income is, frankly, ridiculous.
I want Google to get slapped around! Anyone who doesn't think Google has more power than sovereign nations is fooling themselves into ignoring the problems that Google has caused.
Google does not have more power than sovereign nations and they definitely do not have more power than the EU. They could get shut down tomorrow, we'd all be pissed off for a few weeks and then life would go on as usual. The whole idea that some company could strong-arm a continent is science fiction.
And that would be the end of Google. Anti-trust regulators in countries where it remained would take pretty decisive action in the face of that sort of madness.
(Also whoever made this decision would presumably be torn apart by enraged shareholders)
Google isn't structured so that enraged shareholders can do more than scream and sell their stock, unless you get one of the company founders on-board with whatever you're enraged about.
If google were to pull out of the EU overnight without warning - as in literally shut off all their EU services, block EU connections, and (not overnight I would assume) let go of all their staff - then yes, there would be death.
Millions of mobile phones would stop working, various major systems would find they have a SPOF with google (ie. GCP) and there would be lots and lots of lost email and company documents.
It would be a huge financial problem for the EU.
For most things I think they would "recover" relatively quickly (bar the lost documents). But the effect would be so large they would legislate very very hard against it.
And it wouldn't just be the EU governments that would legislate against it. It would be governments the world over.
It would result in many major corporations being split up. Long lasting movements against centralised communications and ownership.
Google would lose. Hard.
When I think about it, we all have a lot to gain from Google pulling out of a major region overnight.
It's not an essential market, in my opinion. It's "big" for you and I, but it's not as stunningly huge as others in this thread suggest.
It's probably a third or so of their total revenue from EMEA, which is 30% of Google's revenue. That 10% only needs so many fines and regulations before it's no longer worth it.
It's the world's largest economic sphere, and Google would be liable to lose not just the 20% or so in revenue, but also their claim to operate world-wide. Suddenly, AWS would be a whole lot more useful than GCS again.
And for what? Because you and other Americans consider it somehow beneath you to know about other countries' laws? Note that while you're frustrated by the cognitive load and its impact on your jingoism, Google-the-company has no such feelings, and just pays a few lawyers who will happily get them into compliance.
Without any doubt, Google's earnings in Europe are orders of magnitude larger than whatever they're spending on in-house lawyers. Compared to their R&D, and hardware, and electricity, it's a rounding error. You're just experiencing some knee-jerk emotional reaction. And to be honest: I can't even really put my finger on how GRPC ended up seemingly threatening fragile US egos.
Also: just consider Google's endless misgivings about it'z decision to withdraw from China, even though the reasons there were far more
I want Amazon and Google to get pushed out of the EU. It'd be hilarious to me, and better for the world writ large. Also, GRPC is a Google framework. Did you mean GDPR?
I think the GDPR is a great thing. I think Google is bad. That doesn't change the fact that Google will continue to make substantially more money off of the EU than the measly fines they've been given by the EU so far: there's no incentive for them to be a good actor. They've been fined barely a few billion in fines, despite repeatedly violating the GDPR.
I want the EU to start migrating their countries away from Google, but instead they're depending on it more and more and giving it slaps on the wrist whenever they do something bad that they admit to.
I remember historically, Amazon found the amount of fines they were willing to pay in France quite high for the privilege of continuing to flaunt the bookseller's guild laws.
Me asking a question in a discussion to better understand the train of thought gets voted down. Could someone explain this to me to better understand the downvotes?
The simple suggestion would be that Google needs to ask for your citizenship status and go from there. Not sure else how to solve that. If I am an American living in the EU for a few years does the GDPR apply to me when I live there? I am going to the EU next week for 10 days. When I access my gmail from the EU what law applies?
I have three western citizenships, one is EU, and I live across borders, usually accessing the internet via VPN from China. Google cannot possibly understand this, nor should it try to, rather it should give everyone the best protections guaranteed by law anywhere in the world and only punch holes in it for local regulations in specific jurisdictions where unavoidable. To do anything else (such as profiling for ads) is to be evil.
Use infinite lawyer dollars and infrastructure capabilities to route around the problem where viable. Where impossible, preserve maximum protection outside of these exceptions.
Googles job is to make money, which means monetizing your data. We have no reason to expect anything else from a free service. I fail to understand why this surprises people. If that does not work people can use another search engine (duck duck go or the like) and pay for email (proton, etc).
> I'm an Italian citizen, living in Italy [...] and I'm fully entitled to GDPR protection and to have my data owned by a European data controller.
I don't think the latter part is true. AFAIK GDPR does not give you the right do have your data owned or processed by an EU entity. GDPR does not say that.
It doesn't matter where your data is stored or processed, Google must still follow GDPR rules for data about EU residents. The first part of the comment is correct.
I'm not actually completely sure why some companies do this whole EU data controller seperate company thing. I guess for organisational or legal simplicity?
Companies need to be up front with you about what data they keep, and why, and they have to comply with the regs - but nowhere does it say your data has to be kept in the EU.
I'm also a UK resident. I can't answer your question, but at a guess, they are segregating data than falls under the GDPR, keeping it isolated from data that does not; you wouldn't have to place it in the EU to do that of course, but it might make sense for some reason.
I'm curious as to where you have got the belief that your data must be stored in the EU. Perhaps you could point towards where in the GDPR you got this from?
Some of the examples in that article are perplexing to me. Take the example of the Colorado company they say is subject to the GDPR. What motivation does that company have not to just ignore it? Since the EU doesn't have legal authority in Colorado, does the EU block European citizens from accessing violating websites? Do they send an angry letter?
A small Colorado company collecting data on EU residents, and mistreating it, would fall foul of GDPR. Yes, the EU doesn't really have much recourse outside of the EU, so there's not much they'll do. Theoretically, if you step foot in the EU they might come after you, but I'm sure you could understand why that would be exceptional circumstances.
Google, however, does have entities within the EU, so they can enforce penalties or what not.
What stops Google or other evil corp from doing the dirty business through small companies in Denver and other places in the US? Can they purchase data from uncountable small actors without any legal repercussion?
My understanding is that they can "process" it outside, but the "Data Controller" should be a European legal entity.
After all, they are not saying "we are moving everyone data to US", they say "we are moving UK customers to US".
I don't doubt they can do it, but I'm not a UK customer, that's the point.
Incorrect. It is legal to process data outside the EU. They have to be compliant with GDPR. GDPR does not require the data to processed within the EU borders.
I think it is the reverse, although I may have misunderstood your statement. GDPR applies to the entity controlling the data, not the resident. So Google LLC is subject to GDPR. Further, an EU citizen is entitled to use Google LLC and by providing services to an EU citizen, Google LLC has to abide by GDPR. So, my understanding is that Google may move an EU citizen's data to a US company as long as the US entity abides by GDPR.
So, is it legal? I'm happy to amend the article if this is the case, but my understanding (when I initially read that UK citizens were loosing some rights being moved to US) is that moving to Google LLC I will have less privacy rights.
According to their email, they think I'm a UK user:
"because the United Kingdom (UK) is leaving the European Union (EU),
Google LLC will now be the service provider and the data controller responsible for your
information and for complying with applicable privacy laws for UK consumer users"
But I'm not.
I can't say they are doing this intentionally, but it's surely a mistake and there is no way to reach them for a complain.
That is if Google LLC is able to comply with GDPR in the USA, i.e. if there is no US law contradicting GDPR. I think I have heard there is a law which falls under this category ...
EDIT: also if they believe you are a UK citizen they won't act GDPR compliant.
kinda clickbait
[edit for clarity]
Please cite where [your] data is now stored and how you found that information. Cause I'm US based and I got the same email! WTF Google?
And by that, I mean I got that same email. And I definitely live in the US. Please cite sources of them actually moving [your] data to Google LLC and or US.
What do you mean by "source" ?
I haven't "heard" this story somewhere on Internet.
I did receive the email where they say they are going to move my data controller to US.
Again I am really dumb, so I don't know how to check if my data has been moved to a US controller. Also, I got the same email (multiple times, thanks Google), and I live in the US.
Example:
some_command -> where your data is stored at.
I don't know how to verify that information.
It's difficult for many small businesspeople to do bookeeping, but guess what? If they want to do business and comply with the law, they do it.
If they procrastinate, or do it sloppily, because they decide to do other things with their time than prioritize keeping their books properly, they are deliberately not doing their bookeeping.
It's the same thing with accessibility. People will say, "Our app isn't accessible, but that wasn't our deliberate choice, we just haven't tried to make our app accessible."
Nope. When you chose to spend time growth hacking instead of accessibility hacking, you deliberately chose money over accessibility.
Google does not get a pass because they didn't deliberately set out to do the wrong thing. By not choosing to do the right thing, the right way, they deliberately chose to do the wrong thing.
> You are pretending they are deliberately doing it.
Are you saying they're doing it by accident? Even if so, that means they're negligently handling the data. And if not, they're purposefully disobeying the law.
Yes, I'm saying they are doing it accidentally, and that the specifics of the scenario will undoubtably be more complex than it seems on the surface.Every company is breaking some law somewhere. The legal environment is extremely complex. Google products are extremely complex. It's not some awful thing when they make an understandable, minor mistake.
It's difficult to know for sure where to store data in a GDPR world. People move. People have multiple citizenships. People open accounts in countries where they aren't citizens. People give up citizenships. People share documents with other people. People ingest data from one product to another. People comment on documents. It's really, really hard to get all of this down. It's not even clear legally what to do in various scenarios and it's impossible to enumerate them all. It's difficult.
"We’re improving our Terms of Service and making them easier for you to understand. The changes will take effect on March 31, 2020, and they won’t impact the way you use Google services."
No mention of Google LLC. And, surprise! I'm an Italian citizen living in Italy.