Privacy activist Max Schrems targets Google over unstoppable Android user tracking
Our mission to make business better is fueled by readers like you. To enjoy unlimited access to our journalism, subscribe today.
The Austrian privacy activist Max Schrems has made yet another complaint about a Silicon Valley giant: This time it’s Google and its Android mobile operating system, which Schrems and his data-protection organization say illegally tracks Android users.
The lawyer claims Google is infringing the privacy rights of the more than 300 million European citizens who use Android phones.
It will be worth following what happens with this complaint, because Schrems has a track record of getting results. He’s the reason that two data-sharing agreements between the U.S. and the EU have collapsed, leaving businesses uncertain about how to legally transfer personal data from the EU to the U.S.—a situation that will likely persist unless the U.S. reforms its surveillance practices.
The new complaint, which Schrems’s nonprofit Noyb (“None of your business”) lodged Wednesday with the French privacy watchdog CNIL, centers on the Android Advertising ID (AAID). This piece of code is unique to each Android device, and the operating system passes it to app developers and advertisers so they can track users’ activity and target them with personalized ads.
According to Schrems and Noyb, Android creates the AAID without the user’s knowledge or consent, thus breaking the EU’s so-called cookie law. This law, the 2002 ePrivacy Directive—which is in the process of being revamped—is separate from the EU’s blockbuster 2018 General Data Protection Regulation (GDPR).
Crucially, filing an ePrivacy complaint will enable the French regulator to make a decision on its own, rather than having to drag the process out by liaising with other watchdogs across Europe—as would be the case with a GDPR complaint about a company operating across the bloc.
CNIL has shown a willingness to crack down hard on Big Tech over privacy violations. Just months ago, it fined Google more than $120 million for violating the ePrivacy Directive by placing cookies in users’ browsers without asking for their consent or explaining why the tracking would take place.
Schrems and Noyb also made ePrivacy complaints in November about Apple and the IDFA tracking code used in its iPhones. Those complaints were filed in Germany and Spain, alleging that even though Apple is introducing changes to block third parties from accessing the IDFA without explicit user consent, the changes won’t stop Apple itself from doing so.
In the case of Android, Noyb’s complaint also says that it is impossible for users to delete the AAID code that is tracking them—they can only reset the ID. This is also the focus of a separate, GDPR-based complaint that Noyb lodged last year in Austria, to which there is no resolution in sight.
“Imagine having colored powder on your feet and hands that marks your every step and action: everything you touch within the mobile ecosystem. And you can’t remove it—you can only change it to a different color,” said Noyb privacy lawyer Stefano Rossetti in a Wednesday statement. “This is what the Android Advertising ID is all about—a tracker that marks your every action within and beyond the mobile ecosystem.”
Google had not responded to a request for comment at the time of this writing.