
Lessons from Google's Geographical GDPR Goof - CrankyBear
https://www.dmnews.com/data/data-management/data-privacy/article/21047138/dont-be-stupid-3-lessons-from-googles-geographical-gdpr-goof
======
ggm
We (staffers) wanted to consider google g suite for integrated mail/calendar.
We couldn't because as an Asia-Pacific entity, we felt we wanted a guarantee
our data was in Asia-Pacific (preferably Australian) DC and under local law.

What we found, is that only the US State and federal governments can demand US
located data from Google. All other economies and agencies can _ask_ for
local, but cannot have it a checkbox requirement: Google retain the right to
host you wherever they decide, subject to laws they decide.

Somebody else has noted that Microsoft, for all their faults, actually looked
at customers in Europe and said "you know what: we can declare hosting in
ireland is subject to EU laws and we will (at the right price) guarantee your
data is in the EU, subject to EU law" and for that, I salute them.

I think Google got this wrong. I think microsoft got this right.

We didn't go with G Suite. We went another direction with mail and calendar.

~~~
dmurray
> as an Asia-Pacific entity, we felt we wanted a guarantee our data was in
> Asia-Pacific (preferably Australian) DC and under local law.

I don't understand why you would want a generic Asia/Pacific location. It
makes sense that you might want it to be in a particular jurisdiction for
legal purposes, so I understand specifying Australia, in the same way other
businesses specify EU or US or China. But why would you ever want to say "put
our data somewhere in this hemisphere, Australia or Malaysia or Korea are all
OK but don't let it be in Ireland or the USA"?

~~~
ggm
Ideally we wanted OZ. Google hadn't even come onshore at that point. We wanted
in our hemisphere, we'd have settled for JP or SG probably. It wasn't on
offer: Google didn't sell "put my data in my chosen jurisdiction" it sold "we
put it where we want to, unless you are the US government in which case yes
sir whatever you want sir"

Being told they do "now" is great. 5+ years too late. And, the evidence about
this is that Google cave to intercept requests far faster than microsoft do.
Microsoft ask for strong evidence you have jurisdiction. Google don't make any
public noise about this, and about how they act.

I am not a hater btw. I use a lot of google product.

(to latency: a lot of fiber in Asia goes odd paths. being in Japan or SG
wasn't actually a good guarantee it would be faster than from the USA)

~~~
fmajid
Oz is probably the worst possible location for any kind of data other than
China or North Korea due to their new encryption law. I realize that wasn’t
the case 5 years ago.

~~~
ggm
Right. Which hopefully will evaporate in the coming election although I
wouldn't trust Labor on that.

------
josteink
Things like this is why Microsoft is still retaining a lot of business-
customers which Google will never touch.

They care about addressing the customers need first and foremost, while
Google’s #1 priority will always be tracking and ads.

When the EU said processing needed to be done in the EU, Microsoft was fine
with that, while Google has been playing nice only on paper.

With rulings like this, guess which one will seem more reliable and dependable
(from a business POV) for the EU market?

Not Google. That’s for sure.

~~~
ipsum2
Pretty odd comment, considering Windows 10 does a lot of tracking and ads.

> Windows 10 Collects Activity Data Even When Tracking Is Disabled, But You
> Can Block It

[https://lifehacker.com/windows-10-collects-activity-data-
eve...](https://lifehacker.com/windows-10-collects-activity-data-even-when-
tracking-is-1831054394)

> We also display advertising in some services, and we’d prefer to show you
> ads you find interesting.

[https://privacy.microsoft.com/en-
us/windows10privacy](https://privacy.microsoft.com/en-us/windows10privacy)

And the numerous steps you have to take to improve your privacy:

[https://github.com/adolfintel/Windows10-Privacy](https://github.com/adolfintel/Windows10-Privacy)

~~~
emn13
As it pertains to this complaint though, those are all seem less relevant than
the issue of well... plain non-compliance? I mean, if they didn't even have a
DPO...

Still, let's not overstate this "recordbreaking" fine. It's not large, at all.
It's only of a fraction of profits (not revenue) in France alone. Even if
google fully expected to take this hit, it might not have bothered to change
its behavior. The fine, by itself, has no impact on google's business. The
greater risk, really, is that they've got a record now: if they get caught
again, they'll be more likely to suffer more punitive measures that really are
relevant to its core business.

Also, they come across as slightly incompetent, really: I'm kind of surprised
such a huge organization didn't bother to prepare very well. I mean, for some
the law might have come as a surprise, but it's not been unannounced, and it
sure looks like google - amongst others might even count as the law's raison
d'etre. How exactly did they miss that?

~~~
chopin
Legally, they can't pay the fine and continue their behavior. It's not a cost
of doing business as you are required to alter your behavior.

~~~
emn13
Exactly. The fine is basically a token at this point; it's the potential for
followup that matters.

------
theyinwhy
We are currently struggling with firebase cloud messaging as the instance id
has been deemed personally identifying by our laywers which google clearly
does not think is the case (they don't even offer a data processing contract
for firebase). So, if you are currently using Firebase cloud messaging, there
is a big chance you are in violation of gdpr.

~~~
ogeidix
Are you familiar with [1] and [2]?

1\.
[https://firebase.google.com/support/privacy/](https://firebase.google.com/support/privacy/)

2\. [https://firebase.google.com/support/privacy/manage-
iids](https://firebase.google.com/support/privacy/manage-iids)

~~~
theyinwhy
I was told the main problem is that google's view on things is not en par with
gdpr. Google claims that "Data associated with Instance IDs is generally not
personally-identifying" (see 2.) which our lawyers say they clearly are. In
that regard, google does not talk about instance ids or, worse, data
processing in between APNs and the sending backend (see 1).

The current legal situation does not allow us to use firebase cloud messaging.

------
twunde
I don't think I had understood the why behind Google's GDPR fine prior to
this. It's also illustrative of the challenges of running a worldwide business
with GDPR. Google knew it had a target on its back, is organized and spent a
lot of time becoming GDPR compliant and STILL screwed up in a significant way.

~~~
ggggtez
IMO, it seemed that the purpose of GDPR was to create a legal arrangement to
tax/fine Google (and other big US tech companies). The fine was going to
happen one way or another, the question was just how big it would be in the
end.

For some context on why: consider those "cookie" notices you see on every site
now. The notices are often obtrusive, usually don't have a "no" button, don't
make it clear how to withdraw your consent if you do click "yes"... So if
every company is in violation, and no one knows how to do it correctly even
with millions of reasons why... Then how exactly is it going to protect user
privacy in the real world?

~~~
jacquesm
If that is what you got from the available materials and the track record of
the EU DPAs to date then you should probably do some more reading.

EU companies have as much or more stake in being compliant than the few US
tech giants active on EU soil.

I see the impact of the GDPR on EU based companies every week and it is
definitely moving the needle towards more secure operations and a much better
attitude towards stewardship of data-subject related data.

~~~
ggggtez
I don't claim to be an expert, but this random site claims that British
companies have suffers 10k data breaches [0]. According to this, there have
only been 91 fines. I don't see how someone can come to the conclusion that
this is actually helping data be more secure.

[0] [https://tech.newstatesman.com/gdpr/data-breaches-
gdpr](https://tech.newstatesman.com/gdpr/data-breaches-gdpr)

~~~
jacquesm
> I don't see how someone can come to the conclusion that this is actually
> helping data be more secure.

The fines are not what has made things getting more secure, the work done to
avoid the fines is.

Before the GDPR pretty much every company I looked at had absolutely terrible
security, since the GDPR is in effect most companies at least stopped seeing
security as a cost to be avoided, with an associated increase in awareness at
the rest of the company and better processes and controls to ensure that data
does not leave the servers when it isn't intended that way.

It's 91 fines _so far_ , and a whole pile of warnings and interventions, give
it a few years and the cumulative effect will be substantial.

Oh, and that 10K number is only the breaches that the companies are aware of
and that have been reported, the real number is likely to be much higher. And
without the GDPR it would be much higher still.

------
amenod
I have a very difficult time understanding any of this. I mean, yes, for most
of the SME 50 mio dollars would be some money, but for Google? Peanuts. Who
cares if they messed up? If this is the penalty for it, bring it on... It was
cheap school for them (not on how to do GDPR properly, but how to get better
at avoiding penalties in the future).

Seriously, I hope EU can do better than that. We could really use some real
privacy protections, especially from the likes of Google, Facebook, Microsoft,
Apple, Amazon,...

~~~
Macha
If you look at some of the GDPR fearmongering (Particularly stuff like "Oh no
my designated DPO left and it took us a week to find a replacement." or "Oh
no, my 1 person company with no automated process got a GDPR request while I
was on holiday in the bahamas and I took too long" leading to 4% of revenue
fines, one of the points made is that the EU tends to not apply the maximum
penalty immediately based on the severity of the offence and whether it's a
repeat offender. So this is (a) Google's first offence and (b) it seems the
finding is about a technicality that could be a genuine mistake (1 day after
GDPR Google's TOS didn't mention Google Ireland yet), so it's understandable
that they didn't pull out the 4% of global revenue fine. Even though
ultimately the Google behavior is the target of the legislation, not giving
Google the same "first time's a warning" type behavior of local SMEs sounds
like a good way to start a trade war.

The next GDPR violation Google is accused of, they will now be a repeat
offender and more likely to get a higher fine, until they either become
compliant or end up at the 4% of revenue fine.

~~~
Mirioron
> _one of the points made is that the EU tends to not apply the maximum
> penalty immediately based on the severity of the offence and whether it 's a
> repeat offender._

But this is how it's done because it's standard practice, not because the law
stops them from doing it.

~~~
NeedMoreTea
You might want to look up the EU requirement for proportionality in penalties,
and the ECJ cases where a regulation or penalty was found not to be
proportionate, before claiming there is no law that stops them from doing
that. It applies to everything EU wide.

That's quite apart from it already being well established in national laws of
many member states.

[https://www.europeanlawmonitor.org/eu-legal-principles/eu-
la...](https://www.europeanlawmonitor.org/eu-legal-principles/eu-law-what-is-
the-principle-of-proportionality-a-subsidiarity.html)

[https://en.wikipedia.org/wiki/General_principles_of_European...](https://en.wikipedia.org/wiki/General_principles_of_European_Union_law#Proportionality)

~~~
Mirioron
Interesting. Thank you.

But what's the point of setting upper limits to fines at all then? GDPR says
that the maximum penalty is 4% of global revenue or 20 million euros,
_whichever is greater_.

If proportionality is a concept that's followed so well, then why have upper
limits at all? Why word it in a way that clearly hurts smaller businesses
more?

~~~
NeedMoreTea
It doesn't work like that.

I think it was Germany first introduced proportionality into sentencing, in
the later 19th century. They still have maximum penalties for offences. The
maximum allows a regulator or judge to frame the seriousness of offence within
those limits, with fewer surprises, and across the range of legislated
offences, as intended by the legislature.

A proportionate fine for a first offence, technical breach by a multinational
like Nestle or Google, who should have plenty of people in legal, might be a
gentle €50 million slap on the wrist. As we can see from this very discussion,
there's been a couple of comments along the lines of "...but that's too small
to hurt, why bother?". A proportionate penalty for a Google or Facebook on a
fifth offence, showing a wilful attempt to dark pattern around the law, might
well turn out to be €4% of global. It's no different to setting criminal
offences with a maximum of ten years in jail and finding most get a fine, and
just a few get jail, let alone a maximum term.

A proportionate first offence penalty for a 5 person early startup, who made a
minor breach, might receive a helpful, but sternly worded letter to help them
comply. The same 5 person startup showing a wilful, habitual pattern of breach
might get (plucks number out of the air) a €20k fine for their fifth offence.
Probably levied after providing proof of their revenue and profit.

The point is supposed to balance the need to a) enough to encourage them to
not do it again, and b) not nuke them from orbit. It _doesn 't_ clearly hurt a
smaller business more. It's meant to hurt each about the same: "enough to
achieve compliance". Intent and extent will affect what is enough too. The aim
is compliance, not revenue, or remaking some sort of financial equivalent of
the Bloody Code. A bankrupt business cannot comply and generates no revenue.

Mistakes, disappointingly large or small penalties and the subsequent appeals
will happen, such is the nature of all law, everywhere. IANAL or I might have
explained that better. :)

