Past December 11th Google CEO, Sundar Pichai, has been audited from US Justice Commission on many issues: Google data collection, rumors on Google manipulating research results on political bias, the relationship between Google and the Chinese Government on the so-called Dragonfly-project.
Here you can find the hearing highlights made by CNET channel on Youtube
As European, I had the feeling that Google CEO was answering to US Commission while he was speaking to EU Commission, worried by the first fine Google has to pay due to Antitrust issues.
In the past few months, in fact, Google firstly had to face the € 4,3 billion fee because of abuse of market position forcing device producer to install Google search, Chrome, in order to get access to Google Play App Store.
Then it came out that app developers on Google+ could have access to personal data of users installing those extensions.
Consequentely, Google decided to dismiss Google+ project probably to avoid privacy fines from Control Authorities.
According to EU Regulation, in fact, such privacy violation could lead to a “20 billion Euro fines or the 4% of global company revenue, if superior”.“20 billion Euro fines or the 4% of global company revenue, if superior”..
What does GDPR require to comply with?
EU legislator understands that it is impossible to follow tech development and it is impossible (and also economic damage) even to try to stop it.
The pillars of the new EU Privacy Regulation are:
- User’s informed consent on data processing;
- Privacy by design and privacy by default;
- Data Protection Impact Assessment;
- Data Breach notification.
Following this path, we can translate into a UE Commission reference some Pichai’s statement as an effort of assuring Google GDPR compliance.
User’s informed consent on data processing
It means the user shall be informed about what kind of data the device/app/software/company/whatever proceed data will proceed, how long and where data will be stored and if user’s data will be shared with third parties. This information must be clear to all users.
That’s why Google CEO continuously underlines that they provide “choice, control and transparency in use”. It’s like saying to EU Commission: “We’re complying! Our users are informed, and they can choose what data to share with us.”
Privacy by design and privacy by default.
It means that a device must be designed from the very early stage of the creative process by looking at any privacy issue and the privacy must be opted in by default setting. That’s why Google CEO answers saying that if you install a Fitness app you may want it tracks how many steps you do in a day. You opt-in asking the device to track it.
An iPhone or Android device can track your location, the surrounding weather conditions and many other variables like altitude or latitude, that can be useful in a great variety of situation: while visiting new places, driving your car, tracking your fitness workout and so on.
It’s up to the user to decide if tracking is really needed. On the other hand, the device must be set in no tracking mode, the user must opt-in, that what privacy by default truly means and that’s what Google CEO tried to explain to a worried Republican Commissioner to be seen in the company of Democrats colleagues (and vice versa).
Data protection impact assessment
It means that data processor must verify the impact on data protection of all its company process. That’s why Google CEO keeps saying that “Google pays a lot of attention in user’s privacy and employees knows that”
Data breach notification
It is a key point in building a better relationship between service providers and user. The EU legislator knows that there is no zero risk in data security.
Every system can be attacked, any technology can be hacked and data processor’s reticence can lead to danger for personal freedoms and rights. Therefore Companies experimenting a data breach must notify the data breach to Control Authorities (such as EU Commission) which can suggest further steps to take to restore data security.
The Authority can obviously fine the Data controller if the data breach has been caused by violation to GDPR rules. That’s why Google CEO keep saying they checked for manipulation of search engines algorithm and didn’t find any evidence.
Some European newspaper noticed that Google CEO said that the EU Antitrust fine was the first one. The Google+ affair came out a couple of months earlier of the entering into effect of GDPR and we do not know how truly compliant is Google to the privacy legislation.
The future will tell us.
Final consideration
However, the main issue coming from this audition is how important people consciousness about how the technology works, its potential and its risk. As it was said in the opening: “Great power leads great responsibilities”. To have powerful devices (think about smart-home and Artificial Intelligence) leads great responsibilities even to users, who must be aware of what kind of data they share with their device, by balancing costs and benefits.
On the other side, manufacturers and developers must minimize data processing in order to keep their users’ rights safe from misuse and attack. The balance between what a device can do and what the user needs its device does and detect will become more and more important with the development of AI.
Let me know in comment, if you also had the same consideration while hearing Google CEO before Congress and do not forget to follow me!
Here you can watch the entire hearing