This case has been in the pipeline for a little while, but now it is official -- the Irish Data Protection Commissioner (DPC) has announced a formal investigation into whether the tech giant is processing location data in accordance with GDPR.
It's a crucially important question because the Regulation, which has been in place for more than a year and a half, is crystal clear and very strict on processing a person's location.
There are a couple of options. If you're a telco or a value-added service offering to "find my nearest" or "locate my phone," you're in the clear. If you're selling people's data so they can be reached with targeted adverting, well, you're on a pretty sticky wicket.
Anyone with interest in the matter should take a look at the ICO's guidance, which warns anyone processing location data that the hurdle for compliance is high.
Particular attention may be drawn to a point the regulator makes about a "blanket catch-all statement" on a website not being anywhere near enough to comply with the law.
Location is one of those areas marked for specific consent within GDPR. It can't be added in with other consents and it cannot be assumed. It has to be asked for and it has to be freely given.
For this to be legal, a gathering company such as Google must be clear on what type of data they are storing and what it will be used for. They also need to be clear on how long they intend to keep hold of the information and give a steer on whether it is likely to be shared -- and if so, with whom.
Regular readers will remember a question I often come back to. When we all just clicked on terms and agreements to carry on using services as GDPR came in, do you remember being specifically asked by Google if it was okay to track your location?
I have to say, I just don't remember doing anything other than agreeing to some terms just to keep on using search, maps and Gmail.
Location, from what I remember, was never pulled out as a specific issue for which specific consent was asked for.
So Google looks like it will have to bring out the big guns to answer the case before it and, of course, it has told Sky News that it intends to work with the DPC on the case. It also, rather strangely issued a statement about people needing to know more about controlling how services like Google process their location information.
Now, I'm no legal eagle, but I'd suggest the same could be sent back to Google. My very basic reading of the GDPR and the ICO guidance would suggest that it is up to the processor to get it right and be very clear so informed consent can be requested.
More a case of the processor getting it right in the first place, rather than consumers having to delve through settings to see what location information may or may not be collected about them.
Talking of which, there could be further trouble further down the line for Google again. The privacy campaigner, Johnny Ryan, Chief Policy & Industry Relations Officer at Brave, the browser which allows users to control who sees their data and to avoid being tracked, has new allegations. The software company is claiming that Google and the wider RTB industry is accessing sensitive information about people visiting council websites.
We've swapped a couple of messages about his fresh allegations and they focus on people expressing details about their lives through the council services they access online which would need specific consent to be processed under GDPR. This one's going to come down to whether those involved can claim no personally-identifiable data is used or whether the absolute letter of the law is applied and a device ID is considered to be personally identifiable. And, by the way, this is actually what the law states.
So, Google is in the dock in Ireland for location tracking and could be needing to defend itself against allegations in the UK that it processes special category information about people (health, politics, religion, sexual orientation) without clear, informed consent.