Most of the world has been under some form of lockdown for weeks, but that clearly hasn’t stopped the indefatigable Austrian privacy expert Max Schrems from working on his next legal action under the EU’s GDPR. Last year, he lodged a complaint with the French Data Protection Authority (CNIL) over what he called the “fake consent” that people must give to “cookie banners” in order to access sites. Now he has set his sights on Google’s Android Advertising ID, which is present on every Android phone. It builds on research carried out by the Norwegian Consumer Council, published in the report “Out of control”.

Today noyb.eu filed a formal GDPR complaint against Google for tracking users through an “Android Advertising ID” without a valid legal basis. The data collected with this unique tracking ID is passed on to countless third parties in the advertising ecosystem. The user has no real control over it: Google does not allow to delete an ID, just to create a new one.

The Android Advertising ID (AAID) is central to Google’s advertising system. It allows advertisers to track users as they move around the Internet, and to build profiles of their interests. Google claims that this “gives users better controls”, which is true if people want to receive highly-targeted advertising. But if they wish to opt out of this constant tracking, there is a problem. Although Google allows you to change your AAID, it is not possible to do without it completely: the best you can manage is to get a new one. And as the detailed legal complaint to the Austrian Data Protection Authority (pdf) from Schrems points out, there are multiple ways to link old AAIDs with new ones:

Studies and official investigations have proved that the AAID is stored, shared and, where needed, linked with old values via countless other identifiers such as IP addresses, IMEI codes and GPS coordinates, social media handles, email addresses or phone number, de facto allowing a persistent tracking of Android users.

Schrems’ organization None of Your Business (noyb.eu) claims that’s unacceptable under the GDPR:

EU Law requires user choice. Under GDPR, the strict European privacy law, users must consent to being tracked. Google does not collect valid “opt-in” consent before generating the tracking ID, but seems to generate these IDs without user consent.

Google’s position is weakened by the fact that Apple gives users of its smartphones the ability to opt out of targeted ads; for those using iOS 10 or later, the advertising identifier is replaced with an untrackable string of zeros:

If you choose to enable Limit Ad Tracking, Apple’s advertising platform will opt your Apple ID out of receiving ads targeted to your interests, regardless of what device you are using. Apps or advertisers that do not use Apple’s advertising platform but do use Apple’s Advertising Identifier are required to check the Limit Ad Tracking setting and are not permitted by Apple’s guidelines to serve you targeted ads if you have Limit Ad Tracking enabled. When Limit Ad Tracking is enabled on iOS 10 or later, the Advertising Identifier is replaced with a non-unique value of all zeros to prevent the serving of targeted ads. It is automatically reset to a new random identifier if you disable Limit Ad Tracking.

The formal legal complaint was filed on behalf of an Austrian citizen, requesting that the AAID should be deleted permanently. If the action succeeds, that would allow anyone in the EU — and probably elsewhere — to do the same. In addition, the complaint points out that under the GDPR, the maximum possible fine, based on 4% of Google’s worldwide revenue, would be about €5.94 billion. There’s no chance such an unprecedented sum would be imposed, but the fact that every Android user in the EU is forced to use Google’s AAID could lead to a fairly hefty fine if Schrems succeeds with his latest legal defense of privacy.

Follow me @glynmoody on Twitter, Diaspora, or Mastodon.

Techdirt.