If a product that was in compliance goes out of compliance due to legal changes, it generally has to be pulled from the shelves. I'm saying this strictly from a legal perspective, not endorsing it per se, and I acknowledge the significant expense involved. But this sort of thing happens pretty frequently in a lot of other industries, and the result is pulled product and often a lot of destruction of unsold product.
In this case, fortunately, the hardware may not necessarily need to be destroyed, but it couldn't be sold until the software stack complies. Or, more likely economical, ship the phones somewhere where they are still legal and ship new stock into the EU with updated software. Or make sure there's an immediate update available for the phones and petition the EU for a variance on the grounds that as long as they update, they'll get compliant software. There's a number of options.
> But the OEM, Network don't approve / supply those updates, is Google at fault? (In this case its a non-Google phone running Android)
Great question. I have no idea, and with the GDPR having been looming on the horizon for two years now, is something that would be beneficial (and cost-effective) to spend money on getting quality legal advice.
To anyone who has seen the complaints about startups having to spend $20k on a lawyer to explain the GDPR to them, a small startup won't be facing complicated legal questions like these (and those who insist on doing so, have been given ample warning).
A friend of mine has an online business that involves offering/reselling/managing a client's domain registrations (as part of a package of specialised hosting services). Meaning he can't really get around sharing his clients' information with third parties (registrar, other domain shop, I'm not sure). 25th of May approaching. He reads up on the GDPR, makes some adjustments how or what data he stores (because earlier, you know, it was considered good practice to "store all the things" just-in-case), writes a 3-page license agreement (I suppose he took a boilerplate example and adjusted it to his needs), sends it to his clients to agree, and done. Less than a week's work.
Interesting line of argument; if it was a CE compliance issue it would clearly be the vendor/importer. But the GDPR doesn't talk about devices, it talks about data controllers.
Information commissioners can't require data controllers to do things which cannot reasonably be done. So I think this ends up with "the existing phones are fine for technically necessary data processing, but buying an Android phone cannot be direct marketing consent in and of itself".
It's Google's terms, and Google is the one who determined the mandatory flow of that setup as per agreement with the hardware vendor. The EU could absolutely hold them responsible for not having this sorted out with their partners, it isn't like the OEM put the terms on a device and sold it without Google's permission.
But the OEM is responsible for software support for their devices (this is the entire Android model and why Google has been working so hard on the Treble project the past year+). Since the current version of Android doesn't have this problem, I don't see how this is Google's problem.
It's Google's terms for an agreement with Google. How could any reasonable person make the claim it is not Google's problem? Especially considering they had two years to prepare, and 2018 phones still have this problem.
Presumably, if moderately recent phones were compliant, Google could ensure that outdated/invalid consent forms were only tentatively accepted until Play Services updated within the first day or so of activation, and then presented a remedial consent form which was GDPR compliant. The EU would very likely accept this solution as a technical best effort method to ensure older devices were respecting people's rights.
But it sounds like they never really put in the effort. What version of Android is GDPR compliant? 8.1?
Possibly, but it still might not be possible for Google to provide a means to decline the ToS without issuing an update (which, as has been pointed out, wouldn't be possible to install anyway without accepting the ToS).
Sure, that argument could certainly be made. But unless someone is taken to court over this (or at the very least, threats are made), I think people will continue selling such phones. After all, most sellers aren't going to realise their products are in violation of the law.
Well, think about cars and emission issues that need updates - manufacture does recalls and fixes it for everyone. Not sure what's different here? Why not just pull it from stores and fix it if its violating law?