December 20, 2013
By Jeff Gould, SafeGov
Google says even non-Gmail users have “no legitimate expectation of privacy” when sending mail to Gmail users
In a recent interview with SafeGov, Dr. Alexander Dix, Berlin’s Commissioner for Data Protection and Freedom of Information, covered a broad range of data protection topics, focusing in particular on SafeGov’s proposal for Codes of Conduct to help EU schools ensure that external cloud services respect student privacy. However, a passing remark he made about Gmail caught our attention, because it reminded us of the highly publicized legal battle over Gmail scanning that is now unfolding in the San Jose, California courtroom of U.S. Federal District Judge Lucy Koh, where a group of Gmail users has launched a class action lawsuit against the Mountain View online advertising company.
The issue of cloud providers scanning consumer email for advertising purposes isn’t typically the focus of SafeGov’s work. As visitors to the site will know, SafeGov is a staunch defender of data privacy and security for sensitive cloud users in the public sector. However, the U.S. court case and the Berlin Data Protection Authority’s assessment of Google’s email scanning practices do in fact have significant implications for SafeGov’s work in the education space, as I will detail in a future post.
To get back to the matter at hand: the issues raised in the U.S. court case are quite simple. First, is an email provider such as Google allowed to scan users’ email for a purpose not related to the provision of the basic email service itself, for example the serving of targeted ads? Second, is the provider allowed to scan the emails even of senders who use an email service other than Gmail? Put simply, the San Jose plaintiffs are arguing that Google’s admitted scanning of their email for ad targeting purposes is illegal under U.S. wiretapping laws because they did not consent to the scanning. Google’s lawyers reply that Gmail users did consent because (1) they accepted the firm’s terms of service, which the lawyers say do allow for scanning, and (2) anyway all email users – even non-Gmail users – have, in the words of an older court ruling cited by the lawyers, “no legitimate expectation of privacy” once they turn over their email to a third party such as Google.
We did not raise the matter of the U.S. court case with Dr. Dix, but he told us quite unequivocally that under German Federal data protection law both the owner of a Gmail account and the owner’s possibly non-Gmail-using correspondents must consent to email scanning for the practice to be legal. In the San Jose case Google acknowledges that non-Gmail users have not consented explicitly to having their email scanned when it is sent to Gmail users, but argues that they have nevertheless consented implicitly, because they must surely have known from reading press articles that Gmail scans people’s email. In the legal language of Google’s lawyers, this remarkable claim is expressed as follows:
“While the non-Gmail Plaintiffs are not bound to Google’s contractual terms, they nonetheless impliedly consent to Google’s practices by virtue of the fact that all users of email must necessarily expect that their emails will be subject to automated processing.” [Google Motion to Dismiss, p. 19]
Google’s lawyers here rather casually conflate the automated storing and forwarding of messages that undeniably constitute the essential function of an email service with the quite different and not at all essential automated scanning of a user’s inbox for “signals” suggesting which ads the user is most likely to click on. Their claim is that since both the Gmail user and the user’s non-Gmail correspondents have consented to some form of automated scanning (albeit the latter only “impliedly”), they have therefore consented to scanning for any purposes that Google regards as “normal”. If you haven’t been keeping up with the press coverage on Google’s data mining practices and didn’t realize that “all users of email must necessarily expect” such behavior on the part of email providers, then sorry, Google is not to blame.
The outcome of the San Jose case is yet to be decided. Google’s lawyers are contesting the judge’s refusal to dismiss the case, and the trial itself may not get under way or reach a conclusion for many months. It is therefore premature to speculate what the long-term impact, if any, will be on Google’s Gmail scanning practices in the U.S. But Dr. Dix’s analysis already suggests that Google’s admissions in its U.S. court filings could have serious repercussions in Germany and other EU countries with similar data protection laws. In his own words:
“If a non-Gmail user sends email to a Gmail user and the sender’s email is analyzed by Google without the sender’s consent, this is a violation of German law. The case of the recipient who is a Google customer is different, because they have in principle already given their consent.”
Dr. Dix was referring to a hypothetical, because he was not aware of firm evidence that Google does in fact scan inbound email from non-Gmail users. But in its U.S. court filings Google has now openly acknowledged that this scenario is far from hypothetical: it systematically reads the email of non-Gmail users in order to target ads at recipients who are Gmail users, and it not only admits doing so without first obtaining the explicit consent of the senders, but further claims that it has a perfect right to do so. The implications of Dr. Dix’s assessment are thus clear – Google’s practice of scanning email without consent is illegal in Germany and therefore raises the possibility of legal action in the German courts against Gmail. This conclusion obviously raises the broader question of whether Gmail could face similar consequences in other EU member states. Dr. Dix pointed out that there are significant differences among EU national data protection laws, and cited the example of the UK, where the consent of the recipient is sufficient. However, we suspect the British approach may be more the exception than the rule in Europe, and the issue is certainly worth looking into further.
It remains to be seen whether German or other European consumers will actually take up this issue and pursue court actions against Google over its ad scanning practices. But the evidence that has now been released into the public domain by Google itself certainly provides ample ammunition for such cases, should concerned users decide to take action.