When Mohamed Maslouh, a London-based contractor, was assigned to enter data into Google's internal gHire recruitment system last September, he noticed something surprising. The database contained the profiles of thousands of people in the EU and U.K. whose names, phone numbers, personal email addresses and resumés dated back as far as 2011.
Maslouh knew something was amiss, as he had received data-protection training from Randstad, the European human-resources giant that employed him, and was aware of the EU's five-year-old General Data Protection Regulation (GDPR), which remained part of British law after Brexit.
Under the law, companies in the European Union and U.K. may not hang onto anyone’s personal data—that is, information relating to any identifiable living person—for longer than is strictly necessary, which generally means a maximum retention time measured in weeks or months.
Google may now face investigations over potential violations of the GDPR, after Maslouh filed protected whistleblower complaints with the U.K. Information Commissioner’s Office in November and with the Irish Data Protection Commission (DPC)—which has jurisdiction over Google’s activities in the EU—in February.
The allegations come at a time when Google is already under scrutiny in both the EU and the U.K. over potentially anticompetitive behavior around online ad technology and billing practices in its Android app store, and as it continues to appeal a $4.3 billion fine levied by the EU over other Android-related antitrust abuses. The company has previously been fined tens of millions of euros over GDPR violations, by authorities in France, Spain and Sweden.
Google says it deployed a global automatic deletion tool last year to “protect the privacy” of job applicants and candidates in gHire, in line with the GDPR's demands. The rollout ended in the fall, after Maslouh raised his concerns with Randstad and Google, but Google says it announced the tool internally as early as 2021.
However, even if the offending data has now been deleted as Google says, the timeline would indicate over four years of non-compliance after the GDPR came into effect in May 2018, bringing with it the threat of fines as high as 4% of global annual revenues for severe violations.
"If it takes them so long to be in line with the law then it's their problem, because they are breaching some people's privacy," German data-protection lawyer Michael Kissler told Fortune.
Google's deletion processes
Google told Fortune the deletion tool’s rollout followed several years of careful development, to ensure it met both regulatory demands and the company's business needs.
“Google would have been obligated to delete data within a maximum of one year [after the end of the application procedure] had they implemented appropriate measures,” said Nandenie Lachman, a Dutch privacy lawyer whose profile was among those Maslouh saw.
Although the GDPR itself doesn’t specify the maximum retention time that is allowed, it says personal data must be “kept in a form which permits identification of data subjects for no longer than is necessary” for the purpose behind its collection. The European Commission has stressed that data “must be stored for the shortest time possible.” The Dutch privacy regulator says it is “customary” to delete such data no longer than four weeks after the application procedure ends, though the data can be kept for up to a year if applicants give their permission for extended retention (which Lachman says she did not do).
Under the GDPR—which treats any processing of personal data as illegal unless there's a good reason behind it—the burden of proof is on Google to explain how what it was doing was legal, according to Kissler, who suggested Google might be on the hook over its collection of data as well as holding onto it for too long.
"If they cannot have a deletion process in place that is good enough, then why did they collect the data in the first place, if they knew it?" Kissler asked. "So they breached it and they then further breached it and said, 'It took so long because we're such a big company'. So what? That cannot be the argument."
“We have tight policies, processes, and access restrictions to protect the privacy of applicants and candidates, which are in line with laws, including the GDPR,” said a Google spokesperson. “Like most companies, we continuously update our internal processes and systems as laws change.”
“We only retain specific information on job candidates for a limited amount of time, which is an industry practice—and only for candidates who applied to a role at Google, who were referred for a role by a Googler, or who a recruiter believed might be a strong fit for a role based on their public job profile.”
What the whistleblower found
Maslouh was last year a 34-year old employee of Randstad, which was contracted by Google to identify potential job candidates and enter their publicly available information—derived from services such as LinkedIn—into gHire, Google’s applicant tracking system.
When he accessed the system with authorization, Maslouh noticed the excessive age of some of the European personal data within it, and also noted that many of the records for so-called passive applicants—who had not actively applied to Google—showed no evidence of Google ever having reached out to them. Many of these individuals were listed as working for organizations such as Interpol, the CIA, the U.K. Home Office, the European Parliament, and the U.S. Securities and Exchange Commission.
Maslouh complained to Randstad about the legal consequences of a potential GDPR violation, and the ethical issues around collecting passive candidates’ data at a time when Google had a hiring freeze in place—it should be noted here that, when Google announced its hiring slowdown in July 2022, it said it would continue to hire for “engineering, technical and other critical roles."
“When I myself apply for a job or use any services, I want those people to be compliant with the legislation,” Maslouh told Fortune.
Maslouh says Randstad advised him to write an anonymous whistleblower report about the GDPR issue to Google, through the Big Tech firm’s submission portal. He did so in mid-October, before filing his whistleblower reports with the U.K. ICO and the Irish DPC. The complaints, which Fortune has seen, noted that “a significant amount of this information has been retained on the system since 2011 [and] has not been deleted,” while also claiming that Google obtained some of the personal data “though ‘scraping’ it from the Internet”.
The term “scraping” refers to the automated extraction of online data, which is a risky practice under the GDPR for a few reasons: it can involve extracting more data than is necessary for the task at hand; the affected people don’t know their data has been scraped; and people’s really sensitive data—about things like race or health—can only be legally collected with their explicit consent. Maslouh based his scraping accusation on the lack of recorded correspondence in some people’s gHire profiles, along with what he saw as a suspicious mismatch between the candidates’ recorded employment and the roles for which they might be considered.
However, Google—which points out that it recruits people from a wide range of backgrounds—strongly denies scraping potential candidates’ non-public data.
“Our system only has resumé information from job applications we have received from candidates, through referrals or publicly available information relevant to our recruitment,” Google’s spokesperson said. “Any information we have about candidates' current or previous employment was either provided to us directly by the candidate or was included in their resumé or public profile.”
Fortune spoke with six of the people whose data was in evidence collected by Maslouh in early September last year. Only one said he had never applied for a job with Google nor been contacted by the company—and Google disputes this. One refused to comment, and the other four all confirmed having had interactions with Google.
Maslouh no longer works for Randstad. When he refused to continue working on the Google account until he was satisfied that the work was GDPR-compliant, he says Randstad asked if he would prefer to work on another account, then failed to provide any such options and asked if he would prefer to leave the company. Maslouh says he took that option and, after filing a constructive dismissal case, received four months’ pay in compensation.
“Randstad encourages the reporting of any concerns via our misconduct reporting procedure which is available to all employees, talent, and third parties,” a Randstad spokesperson said in an emailed statement. The company declined to respond to Maslouh's account of his departure, saying it is "unable to comment on individual cases."
According to Kissler, many companies fail to comply with Europe's privacy law because "it’s a general problem that the GDPR is not enforced well enough by the authorities."
"Companies take the risk very often just because they know its very unlikely that something happens [to them]," he said.
The U.K. Information Commissioner’s Office declined to comment on Maslouh’s complaint, saying it cannot “provide commentary on active complaints brought to us by an individual.” The Irish Data Protection Commission did not respond to multiple requests for comment.