There’s plenty of Google news out there today, what with the company holding its I/O developer conference. But outside the celebration of A.I. and Pixel devices, here’s a Google story that’s not on the agenda.
Last September, Mohamed Maslouh, a London-based employee of HR giant Randstad, was tasked with entering potential job candidates’ public LinkedIn data into Google’s internal applicant tracking system, gHire. Randstad had trained Maslouh in the EU and U.K.’s General Data Protection Regulation, so when he saw old personal data—dating back as far as 2011—in gHire, he knew something was wrong.
The GDPR says companies can only hang on to someone’s personal data for as long as it’s really, really needed. In the case of recruitment databases, that generally means weeks or a few months after the application process closes. It does not mean several years.
As detailed in my story about Maslouh’s revelations, which we published today, Google says it has now implemented a global deletion tool to bring gHire into compliance with the GDPR and other legal frameworks. The rollout ended after Maslouh discovered the old data, so much of it has apparently now been deleted.
However, the GDPR came into effect in May 2018, so it could well be that Google was breaking the law for several years. And as data-protection lawyer Michael Kissler told me, the complexity of Google’s deletion tool—which apparently meant it took years to develop—is not much of an excuse. “If it takes them so long to be in line with the law then it’s their problem,” he said.
Incidentally, one of the people whose privacy rights were seemingly violated also happens to be a European privacy lawyer, named Nendenie Lachman. Does she think Google met the GDPR’s requirements in the way it managed job candidates’ data? “I have my doubts,” she told me.
The big question now is whether the U.K. and Irish data-protection authorities confirm the violations and penalize Google. Maslouh has filed protected whistleblower complaints with both. However, while the GDPR theoretically comes with big teeth—fines can go as high as 4% of global revenues—enforcement is patchy, which is according to Kissler why so many companies think they can risk noncompliance.
Google has already received fines over other GDPR violations from authorities in France, Spain, and Sweden. Perhaps those were not the last.
More news below.
Want to send thoughts or suggestions to Data Sheet? Drop a line here.
David Meyer
Data Sheet’s daily news section was written and curated by Andrea Guzman.
