Skip to main content

Full text of "letter to isolde goggin"

See other formats


@ brave 


Professor Isolde Goggin 
Chairperson 
Competition and Consumer Protection Commission 
Bloom House 
Railway Street 
Dublin 1 
16 March 2020 


Competition law concerns in respect of Google’s data protection infringements. 





Dear Prof Goggin, 


1. I write on behalf of myself (the relevant data subject) and Brave, the private 
web browser. Brave is a rapidly growing technology business with offices in 
the US and Europe. Brave’s CEO, Brendan Eich, is the inventor of JavaScript, 
and co-founded Mozilla/Firefox. 


2. I have instructed Ravi Naik, a partner of AWO, to file my formal complaint 
against Google with the Data Protection Commission of Ireland, under Article 
77 of the GDPR. This was filed today. Please see these submission enclosed 
herewith. 


3. I write to draw your attention to the fact that the data practices outlined therein 
are abuses of Google’s market dominance, infringing Article 102 of the Treaty 
(and its domestic equivalents). In particular: 


1) As is well-known, Google is dominant in (at least) the market for general 
internet search services throughout the EEA. It has shares of more than 
90% in most Member States and there are high barriers to enter those 
markets (see, eg, the Commission’s Google/Android decision of July 2018 
and the Commission’s Google Shopping decision of June 2017).! 


2) It abuses that dominant position (and dominance in other markets) by 
creating the “internal data free for all” described below. In particular, it (i) 
imposes unfair trading on those who use its services, and (ii) excludes 
competitors on a range of related markets, in particular by leveraging 
data obtained from one market into a succession of other markets thus 
avoiding competition on the merits. 





1 See also “Online platforms and digital advertising Market study interim report”, UK Competition 
and Markets Authority, December 2019, which concludes that Google has market power in several 
different markets. 


San Francisco 512 Second St., Floor 2, San Francisco, CA 94107 London Mindspace Shoreditch, 9 Appold St., London, EC2A 2AP 


1 


@ brave 


4. [invite you to take all appropriate steps to investigate and prohibit this anti- 
competitive conduct, including by way of co-ordination with the relevant data 
protection authorities. 


Google’s internal data free-for-all 


5. | Google competes in many markets, with a diverse set of products. It initially 
kept the data that it collected in each market in separate silos. However, in 
early 2012 Google revealed that it would combine disparate datasets about 
people from different parts of its business. 


6. In late 2012 the Article 29 Working Party (later reformed as the European Data 
Protection Board) of all EU data protection authorities wrote to Google’s CEO 
that it was alarmed by the “absence of any limit concerning the scope of the 
collection and the potential uses of the personal data”.? It noted that Google’s 
“new Privacy Policy allows Google to combine almost any data from any 
services for any purposes” .° 


7. In June 2016, Google deleted this line from its privacy policy: “We will not 
combine DoubleClick cookie information with personally identifiable 
information unless we have your opt-in consent.”* Thereafter, it combined all 
new users’ data from Gmail, YouTube and other accounts with DoubleClick’s 
data about them. 


8. From September 2018 Google automatically signs people using the Google 
“Chrome" browser to all other Google services too." It is no longer possible to 
use Chrome without being signed in to the browser once one signed in to 
Gmail, or any other Google product. 


9. Google collects what it refers to as “Web & App Activity”. This includes: 


e “Your searches and things that you do on other Google services, including your location 
and other associated data recordings of a person’s location 

e Your Chrome history (if Chrome Sync is turned on) 

e Your activity from sites, apps and devices that use Google services”. 





2 Article 29 Data Protection Working Party to Larry Page, 16 October 2012, p. 1. 

3 ibid., p. 2. 

4 “Google Privacy Policy, changes from 25 March 2016 to 28 June 2016”, Google (URL: 
https://www.google.com/policies/privacy/archive/20160325-20160628/). 

5 “Google Chrome Privacy Whitepaper”, Google (URL: 





https://www.google.com/chrome/privacy/whitepaper.html#signin). 
6 Text shown when a person clicks “Learn more” in “Web & App Activity” list when signing up for a 
Google Account. (See enclosure on “Google Account sign up”). 





San Francisco 512 Second St., Floor 2, San Francisco, CA 94107 London Mindspace Shoreditch, 9 Appold St., London, EC2A 2AP 


10. 


11. 


@ brave 


A footnote in Google’s privacy policy reveals the vast data collection entailed 
by that final point: 


“Many websites and apps partner with Google to improve their content and services. For 
example, a website might use our advertising services (like AdSense) or analytics tools 
(like Google Analytics), or it might embed other content (such as videos from YouTube). 
These services may share information about your activity with Google and, depending on 
your account settings and the products in use (for instance, when a partner uses Google 
Analytics in conjunction with our advertising services), this data may be associated with 
your personal information." 


According to Google, any of these data “may be saved and used in any Google 
service where you are signed in to give you more personalised experiences."* It 
is important to emphasise that all of this is on by default when a person first 
signs up for a Google Account, which is required to use any Google service. 


My submission to the Irish Data Protection Commissioner includes an analysis 
of Google’s internal data processing purposes. It draws upon a diverse set of 
Google documentation provided to Google business clients, technology 
partners, developers, lawmakers, and users. This analysis reveals that Google 
collects personal data from integrations with websites, apps, and operating 
systems, for hundreds ill-defined processing purposes. Indeed, its purposes are 
so vaguely defined as to have no meaning or limit. The result is an internal 
data free-for-all. This analysis is enclosed herewith. 


The competition problem: unfair terms and cascading monopolies 


12. 


13. 


14. 


As set out in paragraph 3 above, Google is in a dominant position in (at least) 
the market for internet search services. It is doubtless similarly dominant in 
other markets. It accordingly has a special responsibility, on account of the 
prejudice that its conduct may cause to competition in general and to the 
interests of competitors and consumers. 


The “internal data free-for-all” described above, and which is the subject of my 
complaint to the Data Protection Commission of Ireland, is an abuse by Google 
of its dominant position. 


Two particular abuses are apparent. Firstly, there is an exploitative abuse, in 
that consumers trade with Google on unfair trading conditions. Their data is 





7 “Privacy Policy”, Google (URL: https://policies.google.com/privacy#footnote-combine-info). 
8 "Include Chrome history and activity from sites, apps and devices that use Google services" (once 
clicked) in “Google Account Activity Controls” (URL: 








https://myaccount.google.com/activitycontrols). 


San Francisco 512 Second St., Floor 2, San Francisco, CA 94107 London Mindspace Shoreditch, 9 Appold St., London, EC2A 2AP 


@ brave 


collected and processed in an unlimited way, with no proper opportunity for 
the consumer to consent or withdraw or even to know what is happening. This 
is the central complaint which I make to the Data Protection Commission of 
Ireland, but it also and equally constitutes an abuse of dominant position as 
well as a breach of data protection law. 


15. Secondly, there is an exclusionary abuse, in that Google’s “privacy policy 
tying”? allows it to cross-use the mass of data which it has acquired (from 
websites, apps and operating systems) between diverse markets. This allows it 
to: 


a. create a cascading monopoly by offensively leveraging data from one 
market into a succession of other markets; and 


b. protect that cascading monopoly by erecting cross-market barriers to entry, 
and foreclosing nascent competitors. 


16. Google not only “envelopes” competitors in multiple markets, but also 
benefits from the data it collects from the totality of these markets. A recent 
paper by Daniele Condorelli and Jorge Padilla describes this: 


“The combination of data across multiple platforms allows the enveloper to fund the 
services offered to all sides of the target market by monetizing in the origin market the 
data collected in the target market combined with the data it gathers in the origin 
marker. As a result of this and its position of dominance in a key primary market, it may 
be able to monopolize the target market and entrench its domination position in the 
origin market.”!? 


Enforcement of purpose limitation to remedy Google’s cascading monopoly 


17. It may well be the case that the Data Protection Commission of Ireland’s 
enforcement of the purpose limitation principle will remedy the competition 
law unlawfulness. 





9 Daniele Condorelli and Jorge Padilla, "Harnessing Platform Envelopment Through Privacy Policy 
Tying", 14 December 2019 (URL: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3504025). 

10 See Johnny Ryan’s testimony to US Senate Judiciary Committee, 21 May 2019 (URL: 
https://www.judiciary.senate.gov/imo/media/doc/Ryan%20Testimony.pdf). 

1 Thomas Eisenmann, Geoffrey Parker, and Marshall Van Alstyne, "Platform envelopment", working 
paper, Harvard Business School (URL: https://www.hbs.edu/faculty/Publication%20Files/07- 
104.pdf). 

12 Daniele Condorelli and Jorge Padilla, "Harnessing Platform Envelopment Through Privacy Policy 
Tying", 14 December 2019 (URL: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3504025), p. 5. 











San Francisco 512 Second St., Floor 2, San Francisco, CA 94107 London Mindspace Shoreditch, 9 Appold St., London, EC2A 2AP 


@ brave 


18. In particular, and as I expand upon in my complaint to the Data Protection 
Commission of Ireland, Google’s internal free-for-all infringes one of the 
primary principles of the General Data Protection Regulation. The “purpose 
limitation principle”! set forth in Article 5(1)b of the Regulation provides that: 


“Personal data shall be collected for specified, explicit and legitimate purposes and 
not further processed in a manner that is incompatible with those purposes. ..”14 


19. Purposes can not be vague. The Article 29 Working Party noted in its 2013 
opinion on purpose limitation that each purpose must be: 


“detailed enough to determine what kind of processing is and is not included within 
the specified purpose, and to allow that compliance with the law can be assessed and 
data protection safeguards applied” .15 


It explicitly ruled out vague descriptions such as “improving users’ 
experience” and “marketing purposes”, saying these “will not normally be 
sufficiently precise delineations of the scope of processing” .!° 


20. The European Data Protection Board’s 2018 guidance on transparency gave the 
following examples of phrases that are “not sufficiently clear as to the purposes 
of processing”: 


“We may use your personal data to develop new services” 
“We may use your personal data for research purposes” 
“We may use your personal data to offer personalised services”! 


As the enclosure “Inside the black box” shows, this is language that Google 
uses. 





13 This is a long-established principle of data protection and privacy law. Purpose limitation dates 
back at least to the 1973 FIPPs devices in the United States, and incorporated in the 1974 US Privacy 
Act, and to the Council of Europe 1973 Resolution on privacy and electronic data banks. Committee 
of Ministers, Resolution (73)22 on the protection of the privacy of individuals vis-a-vis electronic 
data banks in the private sector, 26 September 1973. 

14 GDPR, Article 5(1)f. 

15 “Opinion 03/2013 on purpose limitation”, Article 29 Working Party, p. 15. 

16 “Opinion 03/2013 on purpose limitation”, Article 29 Working Party, p. 16. 

17 “Guidelines on transparency under Regulation 2016/679”, European Data Protection Board, 11 
April 2018, p. 24. 


San Francisco 512 Second St., Floor 2, San Francisco, CA 94107 London Mindspace Shoreditch, 9 Appold St., London, EC2A 2AP 


@ brave 


The European Court of Justice has ruled that consent is only valid when “a user 
is in a position to be able to determine easily the consequences of any consent 


21. 
he or she might give”.'® 


22. This requirement of foreseeability applies whether or not consent is the legal 
basis. The European Data Protection Board wrote in 2018 that “a data subject 
should not be taken by surprise at the purpose of processing of their personal 
data”.' 


23. Nor can multiple purposes be bundled together, and a data subject forced to 
accept all. A recital in the GDPR highlights that consent should be granular, by 
purpose: 


“...Consent should cover all processing activities carried out for the same purpose or 
purposes. When the processing has multiple purposes, consent should be given for 
all of them. ...”2 


24. Where multiple purposes are conflated, the company is highly likely to have 
infringed the GDPR’s requirements for lawful basis, in addition to the 
requirements of transparency, fairness, accountability in data protection law. 


“Tf the controller has conflated several purposes for processing and has not attempted 
to seek separate consent for each purpose, there is a lack of freedom. This granularity 
is closely related to the need of consent to be specific .... When data processing is 
done in pursuit of several purposes, the solution to comply with the conditions for 
valid consent lies in granularity, i.e. the separation of these purposes and obtaining 
consent for each purpose.”?! 


25. The language used by EU data protection authorities’ in 2012, that Google 
“combine[s] almost any data from any services for any purposes”,” is virtually 
identical to the Bundeskartellamt’s language in 2019 about Facebook: 
“combining all data in a Facebook user account, practically without any 
restriction” .*° 





18 European Court of Justice, Judgement Court (Grand Chamber) in Bundesverband der 
Verbraucherzentralen und Verbraucherverbande — Verbraucherzentrale Bundesverband eV v 
Planet 49 GmbH, 1 October 2019, Case C-673/17, paragraph 74. 

19 “Guidelines on transparency under Regulation 2016/679”, European Data Protection Board, 11 
April 2018, p. 24. 

20 GDPR, Recital 32 

21 “Guidelines on consent under Regulation 2016/679”, European Data Protection Board, 10 April 
2018, p. 10. 

2 Article 29 Data Protection Working Party to Larry Page, 16 October 2012, p. 2. 

23 Andreas Mundt’s statement in "Bundeskartellamt prohibits Facebook from combining user data 
from different sources", Bundeskartellamt, 7 February 2019 (URL: 


San Francisco 512 Second St., Floor 2, San Francisco, CA 94107 London Mindspace Shoreditch, 9 Appold St., London, EC2A 2AP 


26. 


27. 


28. 


29. 


30. 


@ brave 


In February 2019 the Bundeskartellamt ordered the unbundling of data within 
the Facebook Group, though it addressed only the cross-use of data between 
subsidiaries. The Bundeskartellamt did not address the issue of data free-for- 
alls within subsidiaries too.” (The order was suspended on appeal by 
Düsseldorf Higher Regional Court for reasons unrelated to the merits of the 
purpose limitation issue. It is now before Germany’s Federal Court.) 


EU national data protection authorities have extensive powers to investigate a 
Google’s compliance with the purpose limitation principle, and to compel it to 
end its internal data free-for-all.” 


Despite my spending six months attempting to learn from Google what 
purposes it processes my data for, as is my right under Article 15 of the GDPR, 
Google has responded with only a brief list of very general, open-ended 
purported purposes. This is at odds with the reality shown in the enclosed 
“Inside the black box” examination. 


The Irish Data Protection Commission is therefore requested to investigate and 
enforce Google’s compliance with the purpose limitation principle. 


Enforcement will have the following consequences: 


i) Google will no longer be able to automatically opt users in to all of its 
products and data collection; 


ii) it will not be able to bundle multiple requests for consent in to conflated 
opt-ins for multiple purposes; 


iii) it will lose the vast, unlawful data advantage it has gained from combining 
and cross-using the personal data of users; 





https://www.bundeskartellamt.de/SharedDocs/Meldung/EN/Pressemitteilungen/2019/07_02_2019_F 
acebook. html). 

24“Bundeskartellamt prohibits Facebook from combining user data from different sources 
Background information on the Bundeskartellamt’s Facebook proceeding”, Bundeskartellamt, 7 
February 2019, p. 2, 5. 

25 Powers of investigation are provided for in GDPR, Article 58(1)b, e, and f. Powers to ban processing 
are provided for in GDPR, Article 58. 


San Francisco 512 Second St., Floor 2, San Francisco, CA 94107 London Mindspace Shoreditch, 9 Appold St., London, EC2A 2AP 


@ brave 


iv) people who use a Google product will have the power to functionally 
break up Google by withdrawing their consent for granular purposes — a 
consumer-led functional separation of Google; and 


v) Google will have to compete on the merits in every market that it competes 
in. 
Recommendations 
Accordingly, we propose two recommendations: 

a. The Competition and Consumer Protection Commission should liaise 
with the Data Protection Commission to maximize the market benefit 
of enforcement of purpose limitation. 

b. The Competition and Consumer Protection Commission should put 
the purpose limitation remedy on the agenda of national competition 
authorities across the EU. It should call for collaboration between data 
protection and competition authorities at the EDPS Clearing House 
meeting in Spring. 


I would welcome the opportunity to discuss these issues with you and your team. 


Sincerely, 


Johnny Ryan FRHistS 


Chief Policy & Industry Relations, 
Brave 


Enclosures: 





26 Article 7(3) of the GDPR provides that “It shall be as easy to withdraw as to give consent”. In very 
many cases, consent is likely to be the applicable legal basis because Article 9(2)a provides that data 
that reveal a person’s “racial or ethnic origin, political opinions, religious or philosophical beliefs, or 
trade union membership, and the processing of genetic data, biometric data for the purpose of 
uniquely identifying a natural person, data concerning health or data concerning a natural person’s 
sex life or sexual orientation” can only be processed if “explicit consent” has been given (unless the 


data were already made manifestly public). 


San Francisco 512 Second St., Floor 2, San Francisco, CA 94107 London Mindspace Shoreditch, 9 Appold St., London, EC2A 2AP 


8 


@ brave 


Encl. 1. Complaint to the Irish Data Protection Commission. 

Encl. 2. Inside the black box: a glimpse of Google’s internal data free-for-all. 
Encl. 3. Correspondence with Google regarding data processing purposes. 
Encl. 4. Google Account sign up. 


cc: 
Executive Vice President Margrethe Vestager, Commissioner, DG Competition; 
Andreas Mundt, President, Bundeskartellamt; 

The Rt. Hon. Lord Andrew Tyrie, Chairman, UK Competition & Markets Authority; 
Isabelle de Silva, President, Autorité de la concurrence. 


San Francisco 512 Second St., Floor 2, San Francisco, CA 94107 London Mindspace Shoreditch, 9 Appold St., London, EC2A 2AP 


9