Google faces EU legal action on privacy

Privacy sandbox not as private as implied, argue privacy advocates

Google faces EU legal action on privacy

The complaint was filed with the Austrian data protection authority on 13th June and consists of two key allegations.

The first concerns Privacy Sandbox API which was introduced last year to replace the system of third-party cookies which collected data from websites for the purposes of targeted advertising. Google said at the time that it was phasing out third-party cookies because of privacy concerns.

Google Privacy Sandbox was supposed to "protect people's privacy online and give companies and developers tools to build thriving digital businesses."

The complaint centres on the fact that the replacement for third-party cookies (which still haven't been phased out completely) is "topics." These "topics" are various advertising categories and Google is still tracking the interests of users based on their behaviours in Chrome.

The complaint therefore accuses Google of deceiving users and marketing Sandbox API as a "privacy feature" rather than making it clear to those users that Chrome was asking for consent to have its browser track users. The consent request uses words including "protect", "limit" and "privacy features" which noyb argues is deliberately misleading to users.

The complaint also alleges that users have been manipulated into consents.

The interaction of the General Data Protection Regulation (GDPR) and Digital Services Act (DSA) means that Google is designated a "very large online platform" and that it must ask users for consent before collecting their data in the EU.

This requires a pop-up box which users must tick before data is shared. However, the advocacy group claimed that Google manipulated users into consenting by engineering its prompt to make it more likely that users would give consent.

The complaint also alleges that Google intentionally showed a broad range of topics like to imply that the data collected was generic, as opposed to showing topics and sub-topics which are much more granular and more personalised.

Other banners explaining the data is collected to enable more targeted ads, present users with a "Got it" button or a settings option. These are default unless the user goes into settings and manually disables them, and the complainant argues that Google is failing to present users with a genuine choice to opt out of data collection.

The complaint has been filed at the same time as Google announced that it is working on a new feature in Chrome that will enable users to interact with the AI when they run searches in their browsing history.

Whilst the feature may soon enable Chrome users to search browsing history with natural language, the feature will submit search data to Google.

This data will include, according to Google, "the history search terms, page content of best matches, and generated model outputs". The data may also be accessed by human reviewers for the purpose of improving the feature. Chrome saves the content of pages in an encrypted form on the device itself. There is no confirmation from Google about whether this data will be anonymised or not.

This feature can be turned off or on in Chrome but whether Google chooses to risk another legal run-in by enabling it as default remains to be seen.