When Mohamed Maslouh, a London-based contractor, was assigned to enter data into Googles internal gHire recruitment system last September, he noticed something surprising. The database contained the profiles of thousands of people in the EU and U.K. whose names, phone numbers, personal email addresses and resumés dated back as far as 2011.

Maslouh knew something was amiss, as he had received data-protection training from Randstad, the European human-resources giant that employed him, and was aware of the EUs five-year-old General Data Protection Regulation (GDPR), which remained part of British law after Brexit.

Under the law, companies in the European Union and U.K. may not hang onto anyones personal datathat is, information relating to any identifiable living personfor longer than is strictly necessary, which generally means a maximum retention time measured in weeks or months.

Google may now face investigations over potential violations of the GDPR, after Maslouh filed protected whistleblower complaints with the U.K. Information Commissioners Office in November and with the Irish Data Protection Commission (DPC)which has jurisdiction over Googles activities in the EUin February.

The allegations come at a time when Google is already under scrutiny in both the EU and the U.K. over potentially anticompetitive behavior around online ad technology and billing practices in its Android app store, and as it continues to appeal a $4.3 billion fine levied by the EU over other Android-related antitrust abuses. The company has previously been fined tens of millions of euros over GDPR violations, by authorities in France, Spain and Sweden.

Google says it deployed a global automatic deletion tool last year to protect the privacy of job applicants and candidates in gHire, in line with the GDPRs demands. The rollout ended in the fall, after Maslouh raised his concerns with Randstad and Google, but Google says it announced the tool internally as early as 2021.

However, even if the offending data has now been deleted as Google says, the timeline would indicate over four years of non-compliance after the GDPR came into effect in May 2018, bringing with it the threat of fines as high as 4% of global annual revenues for severe violations.

If it takes them so long to be in line with the law then its their problem, because they are breaching some peoples privacy, German data-protection lawyer Michael Kissler told Fortune.

Googles deletion processes

Google told Fortune the deletion tools rollout followed several years of careful development, to ensure it met both regulatory demands and the companys business needs.

Google would have been obligated to delete data within a maximum of one year [after the end of the application procedure] had they implemented appropriate measures, said Nandenie Lachman, a Dutch privacy lawyer whose profile was among those Maslouh saw.

Although the GDPR itself doesnt specify the maximum retention time that is allowed, it says personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purpose behind its collection. The European Commission has stressed that data must be stored for the shortest time possible. The Dutch privacy regulator says it is customary to delete such data no longer than four weeks after the application procedure ends, though the data can be kept for up to a year if applicants give their permission for extended retention (which Lachman says she did not do).

Under the GDPRwhich treats any processing of personal data as illegal unless theres a good reason behind itthe burden of proof is on Google to explain how what it was doing was legal, according to Kissler, who suggested Google might be on the hook over its collection of data as well as holding onto it for too long.

If they cannot have a deletion process in place that is good enough, then why did they collect the data in the first place, if they knew it? Kissler asked. So they breached it and they then further breached it and said, It took so long because were such a big company. So what? That cannot be the argument.

We have tight policies, processes, and access restrictions to protect the privacy of applicants and candidates, which are in line with laws, including the GDPR, said a Google spokesperson. Like most companies, we continuously update our internal processes and systems as laws change.

We only retain specific information on job candidates for a limited amount of time, which is an industry practiceand only for candidates who applied to a role at Google, who were referred for a role by a Googler, or who a recruiter believed might be a strong fit for a role based on their public job profile.

What the whistleblower found

Maslouh was last year a 34-year old employee of Randstad, which was contracted by Google to identify potential job candidates and enter their publicly available informationderived from services such as LinkedIninto gHire, Googles applicant tracking system.

When he accessed the system with authorization, Maslouh noticed the excessive age of some of the European personal data within it, and also noted that many of the records for so-called passive applicantswho had not actively applied to Googleshowed no evidence of Google ever having reached out to them. Many of these individuals were listed as working for organizations such as Interpol, the CIA, the U.K. Home Office, the European Parliament, and the U.S. Securities and Exchange Commission.

Mohamed Maslouh (photo provided by subject).

Maslouh complained to Randstad about the legal consequences of a potential GDPR violation, and the ethical issues around collecting passive candidates data at a time when Google had a hiring freeze in placeit should be noted here that, when Google announced its hiring slowdown in July 2022, it said it would continue to hire for engineering, technical and other critical roles.

When I myself apply for a job or use any services, I want those people to be compliant with the legislation, Maslouh told Fortune.

Maslouh says Randstad advised him to write an anonymous whistleblower report about the GDPR issue to Google, through the Big Tech firms submission portal. He did so in mid-October, before filing his whistleblower reports with the U.K. ICO and the Irish DPC. The complaints, which Fortune has seen, noted that a significant amount of this information has been retained on the system since 2011 [and] has not been deleted, while also claiming that Google obtained some of the personal data though scraping it from the Internet.

The term scraping refers to the automated extraction of online data, which is a risky practice under the GDPR for a few reasons: it can involve extracting more data than is necessary for the task at hand; the affected people dont know their data has been scraped; and peoples really sensitive dataabout things like race or healthcan only be legally collected with their explicit consent. Maslouh based his scraping accusation on the lack of recorded correspondence in some peoples gHire profiles, along with what he saw as a suspicious mismatch between the candidates recorded employment and the roles for which they might be considered.

However, Googlewhich points out that it recruits people from a wide range of backgroundsstrongly denies scraping potential candidates non-public data.

Our system only has resumé information from job applications we have received from candidates, through referrals or publicly available information relevant to our recruitment, Googles spokesperson said. Any information we have about candidates current or previous employment was either provided to us directly by the candidate or was included in their resumé or public profile.

Fortune spoke with six of the people whose data was in evidence collected by Maslouh in early September last year. Only one said he had never applied for a job with Google nor been contacted by the companyand Google disputes this. One refused to comment, and the other four all confirmed having had interactions with Google.

Maslouh no longer works for Randstad. When he refused to continue working on the Google account until he was satisfied that the work was GDPR-compliant, he says Randstad asked if he would prefer to work on another account, then failed to provide any such options and asked if he would prefer to leave the company. Maslouh says he took that option and, after filing a constructive dismissal case, received four months pay in compensation.

Randstad encourages the reporting of any concerns via our misconduct reporting procedure which is available to all employees, talent, and third parties, a Randstad spokesperson said in an emailed statement. The company declined to respond to Maslouhs account of his departure, saying it is unable to comment on individual cases.

According to Kissler, many companies fail to comply with Europes privacy law because its a general problem that the GDPR is not enforced well enough by the authorities.

Companies take the risk very often just because they know its very unlikely that something happens [to them], he said.

The U.K. Information Commissioners Office declined to comment on Maslouhs complaint, saying it cannot provide commentary on active complaints brought to us by an individual. The Irish Data Protection Commission did not respond to multiple requests for comment.


Newspapers

Spinning loader

Business

Entertainment

POST GALLERY