Under article 27, if a controller or processor are not established in the EU, processes personal data of EU residents, then the controller or processor must designate in writing on an EU-based representative. They cannot take the lead DPA role. Controllers without any establishment in the EU must deal with local supervisory authorities in every member state they are active in, through their local representatives.
Company that has operations in multiple countries need to deal with one supervisory authority (lead supervisory) instead of having to deal with a supervisory authority in each country of operations. The lead supervisory authority will coordinate any investigation Identifying LSA depends on determining the location of the controller’s main establishment or single establishment in EU.
GDPR came on 25th May, 2018 in all EU countries which was aimed to protect data. This law is not applicable for data generated anonymously. The 88 pages long GDPR law states that the data must be deleted if it is not being used for a particular purpose and it cannot be transferred to external databases. GDPR allows pseudonyms where the personal data is replaced with a code. The GDPR applies to non-European countries if data is being processed from EU citizens or if the branch is anywhere in the territory of the EU. It doesn’t matter if the data is B2B or B2C. All companies that are based in the EU that process data from citizens of the EU are affected by these regulations. A website needs to be GDPR compliant. Any data collected or processed should be limited to the minimum necessary amount. Consent must be obtained through clear and decisive action. It is not acceptable to use any free check boxes while obtaining the consent. If any kind of analytics program is being used, it is the responsibility of the service provider to make sure it is compliant. The users can get in touch with the provider to exercise their GDP rights and freedoms. If there is an event with the visitor that wants to be completely forgotten there should be a mechanism that allows that to happen automatically.
The white paper summarizes Alphabet Google’s unfair practices in terms of data privacy. The user’s don’t expect privacy from Google which should be provided according to the law. In the case of Google, they were using mails to target advertisements to get more customers. After GDPR regulation, it was found that big tech companies like Google, Facebook and Amazon didn’t meet the requirements of GDPR.
The Federal Trade Commission protects the American’s consumers. No matter how big or small, all the companies should abide by FTC orders and keep the privacy promise to the consumers, else the companies will have to put much higher than the cost of implementation.
Even after 2011, Google didn’t stop its deceptive and unfair practises, such as:
| Year | Unfair practises |
| 2004 | Google scanned personal email exchange ads to show specific advertisements. |
| 2010 | Google street view mass eavesdropped on home WiFi communications. |
| 2013 | Google glass recorded conversations without the other knowing. |
| 2015 | Google Chrome installed an eavesdrop tool without the user knowing.Google-Nest-Aware eavesdropped on home conversations without others consent |
| 2017 | Google Home Mini secretly recorded conversations without consent. |
They have a very deceptive consumer privacy operations such as:
| Year | Deception |
| 2011 | Google Buzz social network did not give users the privacy control |
| 2012 | Without users knowing Google changed the privacy policy for Google+.Google hacked Safari browser to track Apple’s users to serve them ads |
| 2013 | Google Wallet shared users’ personal info with app developers.Google Play shared personal info with app developers. |
| 2014 | Google+ forced users to publicly associate with people they do not know |
| 2015 | Google Education made the Student Privacy Pledge, but does not abide by its representations. |
| 2016 | Google-DoubleClick combined personal info and ad tracking data. |
| 2017 | Google secretly tracked users’ in-store purchase activity. |
| 2018 | Google-YouTube used minors’ personal info without required parental knowledge/consent. |
In 2004, Google scanned confidential mails to serve ads to the user which the Federal court said was wiretapping. The World Privacy forum and other organizations had an issue as it lowered the user’s expectation of privacy in the email medium. Google’s content one-box could wiretap hundreds of millions of peoples’ opened emails. In 2010, Google moved the device from the storage end to the delivery pipeline where the data could be extracted before users received the message. In defence to itself, Google stated if the assistant of the receiver can open the mail, then why can’t the e-mail provider? In June 2017, Google stopped scanning private emails.
The Google street mapping project began in 2007. It secretly wiretapped user’s WiFi, for email, password and other personal information. In 2010, Google lost the argument to the Supreme Court that it wasn’t wiretapping and later in 2013, was fined $7m by 38 state Attorney General. Google had to pay a fine of $22.5 million for violating ‘Buzz Consent Order’ again in 2012 for sharing the users’ personal information with the Android App Store apps developers. In 2015, Nest-Aware offered 30 days recording of audio and video where recordings were sent to the cloud for analysis. Google’s Buzz social network was easier to join but more difficult to leave. Limiting the sharing of personal information was difficult to find. The ‘turn of buzz’ option didn’t completely remove the users from the network. Google announced a combination of privacy policies of different products into one overall privacy policy but the users couldn’t opt out of the changes in the privacy policy. In Google Buzz, there was a feature to send email to people without knowing their email address. It forced people to be associated with someone they didn’t know. 
Google was fined $22.5 million dollars for placing cookies in Safari browser to track the Apple customers for targeting advertisements. In 2017, Google again paid a $17 million fine to 37 State Attorneys for the same Safari hack. In 2017, a reviewer at Android police discovered that Google Home Mini was turning on its own and recording the conversations. Same year Quartz investigation found out Google-android devices collect location information automatically without permission and it’s hard to turn off Google tracking. The Google Education and students privacy pledge is a misrepresentation as the new law states not to collect students data for profit where the data is collected for monetization. The contract states that it would advertise to students the ‘core’ educational products like Gmail, Docs, Drive along with Maps, YouTube, Android Play Store, Google+, Chrome.
Hence, we can see through a number of examples as to how Google is deceiving its users and unethically using their data.
Data Centric 