A bug in the Google+ had been allowing close to 438 third-party apps to access data of close to 5 million users including theirfull names, email addresses, birth dates, gender, profile photos, places lived, occupation and relationship status. Google covered up this information for months to avoid regulatory action and a Facebook-Cambridge Analytica like situation. It is alleged that the security bug that causes the breach has been active since 2015 and was discovered and stopped only in March 2018.
Google on this issue released a statement that their Privacy & Data Protection Office had looked into the type of data involved, whether it identifies the users, whether there was evidence of misuse of the data, and whether it could be rectified. Since none of the above conditions were met, they did not disclose information about the leak. Some sources claim that Google didn’t divulge this information in order to avoid coming under the radar, like Facebook.
Google has ceased its social media services under the brand Google+ and has promised to reform their privacy policies to give users more control of the information they wish to share with others.
- Even though there is no federal law in the USA that obliges Google to disclose data leaks, the Californian State law, where Google is headquartered, requires that companies should disclose a data breach when information leaked is individual’s name, their social security number, insurance details, etc.
- As per GDPR, it is compulsory for any company to make public such data breaches within 72 hours. Choosing to stay quiet on the data leak will act against Google on grounds of accountability.
- Non-disclosure of this privacy bug could land Google in trouble for class action and a Facebook-like justification in front of the Congress. They may be fined heavily for breach of GDPR laws aside from the public backlash.