The highly popular smartphone app WetterOnline shares the personal data of its users with hundreds of third-party companies for advertising purposes. Until a few days ago, this included highly precise location data which can be used to derive a user's place of residence and workplace or even a visit to a military base. This data has ended up on marketplaces where it's openly offered for sale. Only the users themselves don't receive their data. WetterOnline refuses to provide information about processed data, claiming that complying with the GDPR’s right of access would be too costly. noyb is now filing a complaint with the relevant data protection authority in Germany.
Precise location data is a security risk. Research by netzpolitik.org and other international media showed that popular smartphone apps share the location data of several hundred million Europeans with third-party companies. Data brokers then consolidate data from numerous sources and build up comprehensive data collections. What makes this even more problematic is that the location data also includes the so-called Mobile Advertising ID (MAID). This is a unique identifier for each user. With the help of all this data, individual people can be pinpointed to within a metre. In the next step, it is then possible to deduce frequently visited places such as the place of residence and work, but also visits to a rehab clinic or a military base. As netzpolitik.org vividly demonstrates, the availability of such information can even pose a national security risk.
Ingo Dachwitz, journalist at netzpolitik.org: "Our Databroker Files research shows that the trading of our data is completely out of control. No one can keep track where the data that smartphone apps supposedly collect for advertising ends up. This already would be a problem if the data were really only used for personalised advertising. In the wrong hands, for example of intelligence services, stalkers or Nazis, they become a real danger."
It's raining data – for third parties. The team at netzpolitik.org and its partners managed to get hold of such a data set, along with information about the origin of the location data that was being sold. WeatherOnline, an app that has been downloaded more than 100 million times, is among the apps that particularly stand out. According to the data set, the app collected the exact location data of tens of thousands of users in just one day and in Germany alone – and sold it off to numerous third-party companies in the advertising industry. So-called real-time bidding (RTB) is likely to play a central role here. This involves auctioning off advertising space to the highest bidder within milliseconds. As a side effect, the personal data of targeted users also ends up with a large number of other players in the advertising ecosystem. According to WetterOnline's privacy policy, these include more than 300 companies. A few days ago, however, WetterOnline amended the consent form and privacy policy on its app. It now states that GPS location data will no longer be used for advertising purposes.
Respect the fundamental rights of those affected? Supposedly too much effort. To find out more about the location data traded online, netzpolitik.org journalist Ingo Dachwitz submitted an access request to WetterOnline – and was promptly rejected because “extracting and compiling all this data would require considerable technical, personnel and financial resources”. According to the company, the request represents a “disproportionate effort” – which, however, is not an exception under the GDPR. In other words: WetterOnline obviously has no problem sending users' personal data to hundreds of third-party companies. Only when a data subject wants to exercise their fundamental right to data protection, it seems to go too far. WetterOnline simply refuses to comply with the legal obligation to provide information.
Martin Baumann, data protection lawyer at noyb: “The GDPR makes it clear that data subjects have the right to a copy of their data processed by a company. There is simply no exception for an allegedly ‘disproportionate effort’. WetterOnline must comply with EU law just like all other companies.”
Complaint filed in Germany. noyb has now filed a complaint with the data protection authority of North Rhine-Westphalia on behalf of netzpolitik.org journalist Ingo Dachwitz (WetterOnline is based in Bonn). noyb is asking WetterOnline to fully comply with the complainant's access request and to provide both a copy of the personal data processed and information about the recipients of that data. In order to prevent similar violations in the future, noyb is also proposing that the competent authority impose an administrative penalty.
