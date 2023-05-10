



When Mohamed Masloh, a London-based contractor, was assigned to enter data into Google’s internal gHire recruitment system last September, he found something surprising. The database contained profiles of thousands of people in the EU and UK with names, phone numbers, personal email his address and his rsum going back to 2011.

Maslouh had received data protection training from Randstad, the European talent giant that hired him, so he knew something was wrong. British law after Brexit.

By law, European Union and UK companies cannot retain personal data, i.e. information about identifiable survivors, for longer than strictly necessary. This usually means a maximum retention period measured in weeks or months.

Maslow filed a protected whistleblower complaint with the UK’s Information Commissioner’s Office (ICO) in November and the Irish Data Protection Commission (DPC), which governs Google’s activities in the EU, in February. After making a complaint, Google may face investigations into potential violations of the GDPR.

The allegation comes at a time when Google is already under scrutiny in both the EU and the UK for potential anti-competitive conduct related to its online advertising technology and how it charges in the Android app store, and was imposed by the EU. It continues to appeal the $4.3 billion fine. About his other Android-related antitrust violations. The company has previously been fined tens of millions of euros by authorities in France, Spain and Sweden for GDPR violations.

Google says it introduced a global auto-deletion tool last year to protect the privacy of job seekers and candidates on gHire, in line with GDPR requirements. The rollout ended in the fall after Maslouh raised concerns with her Randstad and her Google, though Google says he could announce the tool internally as early as 2021.

However, even with the questionable data removed as Google says, the timeline shows non-compliance more than four years after the GDPR took effect in May 2018, accounting for as much as 4% of global annual revenue. The threat of fines can come. For serious violations.

Michael Kistler, a German data protection lawyer, told Fortune that if they are taking this long to comply with the law, it is their problem.

Google’s removal process

Google told Fortune that the removal tool’s deployment came after years of careful development to ensure it met both regulatory requirements and the business needs of companies.

Google was obligated to delete data within a maximum of one year [after the end of the application procedure] If they had taken the right steps, said Dutch privacy lawyer Nandenie Lachman.

The GDPR itself does not specify a maximum permissible retention period, but personal data should be retained in a form that permits identification of the data subject for no longer than is necessary for the purpose behind its collection. The European Commission emphasizes that data should be stored for as short a time as possible. The Dutch privacy regulator states that it is customary to delete such data within four weeks of the end of the application procedure, but if the applicant gives permission for extended retention, the data will be You can keep it for up to a year (Lachman says he didn’t). ).

Under the GDPR, which makes processing personal data unlawful unless there is a good reason, the burden of proof is on Google to explain how what it was doing was lawful. Not only the data, but also you can’t keep it for a long time.

If they can’t implement a good enough deletion process, why did they collect the data in the first place? Kistler asked. So they broke it, and they broke it, and they said, ‘It took a while because it was such a big company.’ so what? That’s no argument.

To protect the privacy of applicants and candidates, a Google spokesperson said it has strict policies, processes and access limits that are in line with the law, including GDPR. Like most companies, we continually update our internal processes and systems as legislation changes.

We only retain certain information about job applicants for a limited period of time. This is industry practice and is limited to candidates who have applied for a job at Google, who have been referred to a position by a Google employee, or who a recruiter believes to be competent. Suitable for roles based on formal job profiles.

What the whistleblower found

Maslouh was a 34-year-old employee of Randstad last year. Randstad was contracted by Google to identify potential job applicants and input publicly available information obtained from services such as LinkedIn into gHire, Google’s applicant tracking system.

Upon gaining permission to access the system, Maslouh discovered that some of the European personal data in the system was outdated. He also noted that many of the records of so-called passive applicants who did not actively apply to Google had no evidence that they were reached by Google. get them out Many of these individuals were listed as working for organizations such as Interpol, the CIA, the UK Home Office, the European Parliament and the US Securities and Exchange Commission.

Maslouh complained to Randstad about the legal consequences of potential GDPR violations and the ethical issues surrounding Google’s reluctant candidate data collection at the time of its hiring freeze. When Google announced his July 2022 hiring slowdown, the company said it would continue to hire engineering, technical, and other key roles.

Maslow told Fortune that I want those people to abide by the law when I myself apply for a job or use any service.

Maslouh said Randstad was advised to submit an anonymous whistleblower report on the GDPR issue to Google through the submission portal of a major tech company. He did so in mid-October before submitting a whistleblower report to his ICO in the UK and his DPC in Ireland. Complaints that Fortune has confirmed point out that a significant amount of this information has been kept in the system since 2011. [and] has not been removed, but Google claims to have obtained some personal data by scraping personal data from the internet.

The term scraping refers to the automatic extraction of online data. This is a dangerous practice under GDPR for several reasons. Affected people are unaware that their data has been scraped. And highly sensitive data such as race and health can only be legally collected with explicit consent. Maslow cites the lack of correspondence recorded in his gHire profile for some people, and the questionable mismatch between a candidate’s recorded employment and the roles for which they may be considered. Based on what he saw, he filed a scraping accusation.

But Google, which says it recruits people from a wide range of backgrounds, vehemently denies scraping non-public data on potential candidates.

According to a Google spokesperson, our systems only collect information about job applications received from candidates through referrals or publicly available information related to hiring. Information about Candidates regarding current or previous employment was provided directly by Candidates or was included in resumes or public profiles.

Fortune spoke with six people whose data were included in the evidence gathered by Maslouh in early September last year. He was the only person who said he had never applied for a Google job or been contacted by the company, a claim Google disputes. One declined to comment, while all four of her others admitted to having interacted with Google.

Maslow no longer works for Randstad. When he refused to continue working on his Google account until he was satisfied that the work was GDPR compliant, Randstad asked if he wanted to work on another account, but did not offer such an option. , he says, was asked if he wanted to work on a different account. quit the company Maslow said he received four months’ compensation after taking that option and filing a constructive dismissal lawsuit.

Randstad encourages all employees, personnel and third parties to report concerns through its fraud reporting procedures, a Randstad spokesperson said in an email. declined to respond to Maslow’s explanation for his resignation, saying it could not comment on individual cases.

According to Kissler, the reason many companies are not complying with European privacy laws is that the GDPR is not being fully enforced by authorities, which is a common problem.

Very often companies take risks simply because they know that something is very unlikely to happen [to them]He said.

The UK Information Commissioner’s Office declined to comment on Mr Maslow’s allegations and said it could not comment on ongoing allegations made by individuals. The Irish Data Protection Commission did not respond to multiple requests for comment.

