Companies like Google and Facebook have often been criticized for inter alia violation of privacy, adhesion contracts with little to no bargaining power, unlawful consent, and abuse of dominance. With the heavy regulatory scrutiny, the dominance has been subdued, however, the users believe the virtual surveillance is inevitable regardless of the privacy settings of the user and that such surveillance is being conducted on the cellular data of the users for which the users never consented. We have identified two class-action suits filed against Google LLC (“Google”), which are yet to be heard in the court of law.
Joseph Taylor and Ors. v. Google
This class action suit has been filed in the United States District Court of California, San Jose Division for allegedly unlawfully misappropriating the cellular data of android users. It has been claimed that there is a passive transfer of data between the device with an android operating system and Google even when the device is lying idle. The plaintiff’s counsel performed a test on a new Samsung Galaxy S7 phone wherein all the default settings were accepted and the device was connected to a brand new Google account and was not connected to Wi-Fi. It was found that the device sent and received 8.88 MB of cellular data per day when in a completely idle state with all the apps closed. 94% (ninety-four percent) of these communications were between the device and Google.
The android users are to mandatorily accept the given Google policies and the users are given little to no choice. Such contracts are adhesion contracts. Further, even if the policies were lawful, none of the Google policies take the consent of the user to use their cellular data and passively transfer information. The users are not even given an option to disable such usage of their data allowance.
As per the plaint, the android users have to mandatorily accept 4 (four) general policies of Google, which include terms of service, privacy policy, the managed Google play agreement, and the Google Play terms of service. The Google play terms of service is the only Google policy that even mentions the usage of cellular data however, it provides that it is in connection with your use and viewing of the content. Therefore, ideally, when the users are not using or viewing the content, the cellular data should not be used.
It has been further claimed that most of the communication consists of LOG files which are not time-sensitive and their transmission could be delayed until a Wi-Fi connection is available. A reference is made to the study by Professor Douglas C. Schmidt in 2018 on Google’s data collection efforts, wherein he found that chrome and android transferred information to Google even in the absence of any user interaction. When the phone was idle and the chrome browser was open in the background, the passive transfer occurred 900 (nine hundred) times in a span of 24 (twenty-four) hours. It is claimed that an iPhone communicated with Apple only a small fraction of times when compared with an android device communicating with Google.
Primarily the court must decide on two issues at hand, firstly, whether the cellular data forms a property interest of the user under the California laws and secondly, whether Google has misappropriated the user’s property without its consent, to conduct the passive transfer of information. Interestingly, an exact relief amount has not been mentioned in the plaint, instead, the plaintiffs have prayed for a fair market value of the cellular data converted by Google and reasonable value of cellular data used by Google to extract and transmit information.
Anibal Rodriguez and Anr. v. Google and Alphabet Inc.
This class action suit has been filed against Google and Alphabet Inc. for unlawful collection of data without user’s consent, even though the recommended privacy settings were followed to preventing such interception and collection of browsing history. The plaintiffs have approached the US District Court for Northern District of California for violation of the Federal Wiretap Act, the California Invasion of Privacy Act (CIPA), and the Comprehensive Computer Data Access and Fraud Act (CDAFA).
Google has been called ‘voyeur extraordinaire’ and the plaint further states that Google has made itself an unaccountable trove of information that even George Orwell could not imagine. One of the main arguments of the plaintiffs is the usage of the Firebase software development kit (“Firebase SDK”). Google offers services like marketing on playstore, ad exchange, and Google analytics, only if the app developers develop their apps using the Firebase SDK. As per the plaint, the Firebase SDK allows Google to ‘automatically and systematically’ intercept and track user’s app activity data even if the users turn their web activity off. Firebase SDK’s automatically collected events including (i) page location; (ii) page referral; and (iii) page title. The app developers do not require to write an additional code to collect such information as it is embedded in the Firebase SDK. Hence, the publishers have little to no choice in using Firebase SDK particularly in an android operating system for better access to web analytics and advertisements.
The plaint further mentions that Google offers Google Analytics free of cost to websites generally to collect pseudonymous data on its visitor. Once it is embedded with the website, Google’s custom code runs parallel with the website and the user’s browser sends their personal information to Goggle’s servers located in California. Google does not ask the website developers to take the permission of the users for the collection of their personal information. An issue has also been raised for the collection of data while viewing the website in a private or incognito mode.
Further, a reference has been made to the fine imposed on Google of EUR 50 million in France by the Commission Nationale de l’informatiqueet des Libertés which was also affirmed by the highest court, for the consent process with the android operating system which violated General Data Protection Regulation (“GDPR”). The plaintiffs claim that by offering the ability to turn off ‘web and app activity’, the users were given a reasonable expectation of privacy. The plaint also draws reference from another complaint filed against Google, filed by the Arizona Attorney General, alleging that the location of the consumers was tracked though they had opted to turn the location off. The plaint also refers to the study of Professor Douglas Schmidt who states that ‘surveillance capitalism’ is a perfect phrase for Google’s business.
The Plaintiffs claim that they have suffered a loss due to violation of privacy, loss of value in personally identifiable information.
BlockSuits Comments
Amid increased allegations of abuse of dominance both in the US and Europe, Google is already under extreme regulatory scrutiny. The class actions, though pending, will only add to the duress that Google faces with the questioning by the US Congress. Allegations of privacy violations have increased substantially in 2020, with Apple following Google’s lead in the recently filed case by Max Schrems in Europe over the iPhone generated tracking ID violating privacy laws. The said tracking ID allows advertisers to track users in an efficient manner and target them for advertising purposes. The case, at-least contextually, appears similar to the cases filed against Google for privacy infringements. Earlier this year, the Belgian Data Protection Authority (BGDA) had also reported that the system of online tracking and the real-time bidding system of advertisement interface was in serious violation of the GDPR. Google’s ad market in itself generates about EUR 6.7 billion to its gain, and it is claimed through tactics like the usage of Firebase SDK that Google is able to increase those figures.
Authored by Samaksh Khanna, and Shivani Agarwal, Founders of BlockSuits.
コメント