Yesterday, we reported (German language article only) that Google in its privacy policy informs Android users that “When you use our services or view content provided by Google, we automatically collect and store certain information in server logs. This includes: […] telephony log information, such as your phone number, calling-party number, forwarding numbers, time and date of calls, duration of calls, SMS routing information and types of calls.”
What specific data Google stores is not clear since it is encrypted on the Android device. We did find out though that immediately after a call was made the phone established a connection to Google’s servers and transmitted data.
A spokesperson for Google Germany did not answer questions concerning which data the company collects and why. He did claim that Google has the right to store the data based on the consent given by Android users, who need to accept Google’s privacy policy to be able to use Android. Peter Schaar, former German federal commissioner for data security and chairman of the ARTICLE 29 Data Protection Working Party of the EU, says this is not the case and Google’s practices may even violate fundamental rights.
mobilsicher.de: Mr Schaar, Google says it stores “telephony log information, such as your phone number, calling-party number, forwarding numbers, time and date of calls, duration of calls, SMS routing information and types of calls” when making phone calls using an Android device. Data protection rules allow users to agree with informed consent to data storage and processing by private companies. Fair enough?
Schaar: Not at all. Companies need either a legal authority or consent if they want to process personal data. In this case, I do not see a legal basis for the comprehensive processing of the data concerned. Data may be used if it is necessary to establish a connection. To do this, it needs not be transferred to a Google server.
At the same time I see no valid consent to a general transmission of the data to Google. Firstly, most users do not expect that all of their personal data and that of the calling-party is stored by Google. This absence of clarity means that a general transmission of data cannot be justified.
Additionally, consent means a “freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.” We can hardly assume this consent here if the alternative to consent is that you cannot use your phone to make calls in case you don’t agree that all this data ends up on Google’s servers.
mobilsicher.de: What about the fact that Google says it stores the data of people calling Android phones, not using Android phones themselves?
Schaar: If that is really the case, it's just another reason why this alleged agreement cannot be effective. We’re talking about third-party data here. It is evident that I cannot effectively consent to Google storing data of a third party, say someone who calls me or someone I call from an Android phone.
mobilsicher.de: So if we cannot assume effective consent, what then?
Schaar: That depends on which data is collected and processed. Do you know what Google collects?
mobilsicher.de: No, we could not yet find out, because the data is encrypted on the device. Data is being transferred, but we do not know which. When asked what data they collect, Google declined to answer.
Schaar: If Google really collects all the traffic data generated by a call this would violate privacy regulations. It might even be a criminal offense. It must be examined to what extent Google is bound to the secrecy of telecommunications, given that the company is party to providing telecommunications services. In that case the data processing without a legal basis could be a criminal offense. In addition, it needs to be clarified if data is illegally processed for commercial purposes without the knowledge of the data subject. That could constitute a criminal privacy violation under German law.
mobilsicher.de: What does all this mean for users?
Schaar: Google has an obligation to immediately tell us what data it stores, for what purpose, for how long it stores the data, where it is stored and how it is used. This is the only way the company can counter accusations that this – again – is an enormous breach of users’ trust.
Using piecemeal tactics, conceding only what can no longer be denied, as it has been the case in the covert acquisition of wireless data as part of the Street View programme, would be unbearable. The issue here has a new, much larger dimension. We’re talking about the secrecy of telecommunications here, not - as in the Wi-Fi scan case – about signals that everyone could have collected in the streets.
If it turns out Google actually learns about who calls whom when and for how long, this would have further consequences. German law provides for privileged communications of certain professions that are bound to secrecy: doctors, employees of addiction counselling centres, lawyers and social workers.
They would be liable to prosecution if they disclose protected information without authorization to third parties. So if Google should learn about the communication between a patient and a doctor because the doctor uses an Android phone, the doctor can be accused of committing an unlawful disclosure. Lawyers, doctors, priests and journalists could not legally use Android phones any more.
mobilsicher.de: So who needs to step up now?
Schaar: This is an issue for the data protection authorities - not just in Germany. We have to find out which data has actually been processed. If it is true what you suspect, based on the available information, this would entail a dimension that also needs the EU Commission to step up.
Google has a very strong, possibly dominant position in the smartphone market with its Android operating system. This is the reason why European Commission is investigating Google in an antitrust case. If Android is used to collect confidential data of European citizens and transmit it to the US, then this could constitute a violation of fundamental rights.
We also need to take into account the on-going discussion about Safe Harbor and Privacy Shield, regulating the transmission of data to the US. The EU Commission must get a clear picture of what is happening here as soon as possible. Moreover, US authorities need to get into the game, the Federal Trade Commission in particular.
