Associated Press (AP) has reported that Google is tracking the location of Android-users without their consent. Adroid provided an option to activate the location setting to its users. Although users did not activate the location setting Google tracked the location anyways. Google has reacted to the article by a mere change of the description of the “Location History” on it´s website.  However, Google is still not asking the users for their consent while tracking the location.
1. Legal analysis
The storage of location data needs a legal basis according to Art. 6 GDPR. In general, there are three options available:
- performance of a contract with the user,
- legitimate interest of Google,
- consent of the user.
a. Performance of a contract
Google does not conclude any contract with the user. The service of Google is provided free of charge. Some authors argue that the users pay with their personal data for the service of Google. But there is a lack of any agreement on which data shall be provided by the user for which specific service. Therefore, the fulfilment of a contract according to Article 6 (1) (b) GDPR does not provide a legal basis for Google to process any data of the user.
b. Legitimate interest
Google may claim a legitimate interest to use the location data of the user. The improvement of the service of Google as well as the option to provide additional services to the user – such as providing addresses of restaurant which are close by – might be a legitimate interest of Google. But this interest is to be weighed against the Right to Data Protection of the user. This Right reflects the power of the user to determine the use of its own personal information – or in the American wording the right “to be let alone”. The economic interest of Google cannot outweigh the interest of the user not be tracked. This result is underlined while a less infringing option is available for Google by asking for the consent of the user before storing the location data.
The consent according to Article 7 GDPR requires
- a clear confirmative action,
- a separate consent for each single purpose,
- the prohibition of a consent which is conditional.
Conditional consent means a consent which is connected to a service and contains personal data which is not strictly necessary for the service. E.g. Google, cannot ask for consent to the location data by an option which is connected to its service by “take it or leave it”.
The setting of the location data fulfilled all three requirements. To choose the setting is a clear confirmative action. This setting was separated from other settings. The consent was not conditional, while the service was provided even the user did not consent to the storage of the location data.
But – as AP stated – this consent was misleading the user, because the location data was stored, although the user refused to give his consent.
The change of the description of the “Location History” by Google, which was reported by AP in an additional article, does not represent a consent of the user. Therefore, Google is still in breach of GDPR.
d. Intentional infringement by Google
Based on the facts which were provided by AP, Google was misleading its users by pretending an option to the users while storing the location anyway. Therefore, the infringement of GDPR seemed to be intentional according to Article 83 (2)(b) GDPR.
2. What is the reaction of the data protection watchdog?
The reaction of the national DPAs in the EU will be crucial for Google and for the users who are concerned about their privacy. In a former case against Google the DPAs did not act on their own initiative but were forced to act by a data protection activist.
 See the cases of Max Schrems against Facebook and Google; https://dpoblog.eu/the-potential-outcome-of-max-schrems-first-legal-actions-against-facebook-and-google