Why Privacy International Has Filed a Global Complaint Against Gmail
Privacy International, the long‑standing watchdog that champions individual privacy rights around the world, has once again taken a stand against Google’s flagship email service. Building on a 2004 filing in the United Kingdom, the organization has now lodged formal complaints in seventeen European Union member states as well as Canada and Australia. The move signals that the organization believes Gmail’s data practices are not just inconvenient - they may breach privacy law across multiple jurisdictions.
At the heart of the filing is a claim that Gmail routinely scans user emails for contextual advertising and keeps copies of messages even after a user deletes them. According to Simon Davies, director of Privacy International, these practices violate the core principles of the General Data Protection Regulation (GDPR) and similar privacy frameworks in other countries. Davies highlighted that the organization’s concerns are not limited to a single nation; rather, they encompass a broad swath of legal regimes that share common safeguards around personal data.
Privacy International’s decision to file complaints in so many countries reflects a strategic approach. Rather than rely on a single regulatory authority, the organization aims to create a network of legal pressure points that can collectively prompt a review of Gmail’s data handling policies. This multijurisdictional tactic has precedent: previous complaints by the organization over Google’s search algorithms and location services led to data‑protection investigations in the UK, Germany, and France. By mirroring that approach, Privacy International hopes to ensure that no single jurisdiction can ignore the alleged violations.
In addition to the formal complaints, Privacy International has issued a public statement that outlines the specific legal breaches it believes Google is committing. These include: (1) violating the GDPR’s data minimisation principle by scanning email content beyond what is necessary for service delivery; (2) failing to secure explicit, informed consent from all email recipients, not just the account holder; and (3) retaining data for longer than permissible under the principle of storage limitation. The organization’s filing urges national data‑protection authorities to examine Google’s internal policies and to demand a comprehensive audit of its data‑processing activities.
Google’s history of navigating privacy controversies adds weight to Privacy International’s concerns. The company has previously faced scrutiny over its handling of user data for targeted advertising, as well as over its involvement in law‑enforcement data requests. In 2013, for instance, the company was fined by the French data‑protection authority for failing to provide adequate transparency to users about how their data were used. These past incidents reinforce the argument that Gmail’s practices deserve careful examination under current privacy law.
Another key factor driving the filing is the evolution of privacy regulations since the original UK complaint. Since 2004, the European Union adopted the GDPR in 2018, which introduced stricter rules around user consent, data minimisation, and the right to be forgotten. The GDPR also expands the concept of “personal data” to include any information that can identify a natural person, directly or indirectly. Email content falls squarely within this definition, meaning that Gmail’s scanning and retention of user data could be interpreted as a direct violation of GDPR provisions.
Privacy International’s appeal to regulators is also framed around the principle of proportionality. Under GDPR, the processing of personal data must be necessary and proportionate to the purpose it serves. Targeted advertising, while potentially beneficial to users, must not override individuals’ rights to privacy. Privacy International argues that Google’s scanning of email content for ads is neither necessary nor proportionate, particularly when users can simply disable targeted ads from their account settings. The complaint calls for regulators to assess whether Google’s practices meet the proportionality test established by the GDPR.
Finally, the organization’s filing is a reminder that privacy is a global issue, not confined to the borders of one country. By engaging regulators in multiple jurisdictions, Privacy International hopes to spark a broader conversation about how tech companies handle personal data. This is especially relevant in the context of cross‑border data flows: Gmail’s servers are distributed across the globe, and the data that Google collects in one country may be processed or stored in another. The filing insists that international cooperation is essential to ensure that privacy rights are upheld wherever data travel.
Key Privacy Violations: Scanning Emails and Retaining Deleted Messages
The heart of the complaint lies in two technical practices that have raised red flags among privacy advocates and regulators alike. First, Gmail’s automated scanning of email content. Google’s approach involves analysing the text and metadata of incoming messages to determine which contextual advertisements to display. While the company claims this scanning is necessary to personalize ads and improve user experience, critics argue it represents an excessive use of personal data.
Scanning email content for advertising purposes runs counter to the GDPR’s data minimisation principle, which requires that only data strictly necessary for the specified purpose be processed. In the case of targeted advertising, the amount of personal data needed can be far less than full email scans. Google could instead rely on metadata, such as sender domain or subject line, without delving into the actual message body. The fact that Gmail performs a full‑text analysis raises concerns about whether the practice is truly proportionate to the benefit users receive.
Second, the retention of deleted emails. Google’s privacy policy indicates that users can delete emails from their inbox, but the company does not always remove these messages from all its storage locations immediately. In some instances, deleted emails may remain stored in backups or on servers for an extended period, sometimes months after the user has taken action to delete them. This practice is problematic under the storage limitation rule, which requires that personal data not be kept longer than necessary for the purpose for which it was collected.
Under GDPR, users have the right to be forgotten, meaning they can request that their personal data be erased. When a user deletes an email, they expect that all copies of that message - whether in the inbox, trash folder, or backup - are permanently removed. Google’s policy appears to fall short of that expectation. The company claims that backups help maintain data integrity and can be useful for data recovery. However, the privacy community argues that if backups are retained, they should be subject to strict access controls and deletion policies that mirror the user’s request to delete the original data.
Another layer of complexity involves third‑party senders. When a user receives an email from an external sender, the sender’s privacy rights are also at stake. If Gmail scans that email’s content, it effectively collects data that belongs to a third party. Under GDPR, the data controller (Google) must obtain explicit consent from the data subject (the external sender) or establish another lawful basis for processing. In practice, Gmail’s policies do not seek the consent of these third parties. Instead, it applies the same scanning rule to all incoming emails regardless of the sender’s identity, which could be viewed as a blanket infringement of privacy rights.
The regulatory response to these issues has been mixed. In the UK, the Information Commissioner’s Office (ICO) conducted a review of Gmail and concluded that, at the time, the service did not violate UK privacy law as long as it remained transparent about its data collection. The ICO’s report, released in 2020, stated that if Gmail’s policy clearly informs users that their email content may be scanned for advertising purposes, it could be considered compliant. However, the report also noted that the evolving legal landscape, especially after the GDPR came into force, might shift the threshold for compliance.
Privacy International counters this position by stressing that transparency alone is insufficient. The organization argues that Google must also demonstrate that its scanning and retention practices are truly necessary and proportionate. Simply informing users that their data will be used for ads does not absolve Google of its duty to protect privacy. The complaint urges regulators to consider whether Gmail’s advertising practices align with the proportionality test outlined in the GDPR and whether the retention of deleted messages violates the right to be forgotten.
Beyond the legal arguments, there are real‑world implications for users. Email is a primary means of communication for both personal and professional contexts. The scanning of sensitive messages - including health information, financial details, and personal correspondence - could expose users to privacy risks, especially if the data are accessed by third‑party advertisers or, in worst cases, malicious actors. By retaining deleted emails, users may unwittingly leave their data vulnerable for longer than they intend.
Overall, the complaint underscores the need for clear boundaries around data processing in email services. While targeted advertising can enhance user experience, it must be balanced against the fundamental right to privacy. The filing urges that any data collection that reaches beyond what is strictly necessary for the advertised benefit should be scrutinised and, if necessary, curtailed.
Regulatory Reactions and Google’s Commitment to Dialogue
Following the filing, data‑protection authorities in several countries have expressed a willingness to investigate. The European Data Protection Board (EDPB) has issued a statement that it will consider the complaint under its joint investigation framework. Meanwhile, the Canadian Office of the Privacy Commissioner announced it would monitor Google’s compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA). In Australia, the Office of the Australian Information Commissioner (OAIC) confirmed it would review Gmail’s data retention policies in the wake of the complaint.
Google’s public response has been measured. In a statement sent to Reuters, a Google spokesperson said, “We look forward to a detailed dialogue with data protection authorities across Europe to ensure their concerns are heard and resolved.” The company also highlighted that it continuously updates its privacy practices in line with evolving regulations and that it works closely with regulators to uphold privacy standards. However, critics point out that statements like these, while diplomatically sound, do little to address the specific concerns raised by Privacy International.
Within the privacy community, there is a growing call for Google to adopt a more proactive stance. Some advocates argue that Google should voluntarily limit its scanning to metadata, thereby reducing the amount of personal data processed. Others propose that Google should implement a “no‑scan” option for users who prefer higher privacy protection. Under the GDPR, offering granular privacy controls could help Google meet the principle of transparency and user autonomy.
Regulatory responses are shaping the future of email privacy. In the EU, the upcoming ePrivacy Regulation - designed to complement the GDPR - will impose stricter rules on email marketing and cookie usage. If approved, it could directly affect how Gmail processes and stores email data. The UK’s post‑Brexit data protection regime also presents an opportunity for the ICO to refine its guidance on email privacy, potentially setting a new benchmark for global standards.
For users, the best immediate action is to review Gmail’s privacy settings. Turning off personalized ads, enabling “advanced protection,” and regularly clearing the trash folder can reduce the amount of data exposed to scanning and retention. Users should also keep abreast of updates to Gmail’s privacy policy, which may change in response to regulatory pressure.
In a rapidly evolving digital landscape, the interplay between large tech companies and privacy regulators will continue to shape how personal data is handled. The filing by Privacy International serves as a reminder that no company can assume a blanket exemption from privacy laws. Instead, the focus must shift to transparency, proportionality, and respect for individual rights - principles that are at the core of modern data‑protection frameworks.
No comments yet. Be the first to comment!