Well, tell me what the big risk or concern of a Google employee sitting down and actually reading your e-mail is?
Them indexing it, correlating it with all that other data they already have on you, storing and actively working with this data, including allowing 3rd parties to run near-arbitrary JavaScript on your client, based on near-arbitrary criteria they can specify, is in my opinion much worse.
Opens you up for this data being stolen off of Google's servers and for all kinds of attacks:
- Spear phishing
- Narrowing down the criteria, so that it only targets you, then reading out the IP that you're connecting from. If you're travelling from public WiFi to public WiFi, this can describe your path extremely precisely.
- Malware distribution in those ads. As the ads can be targetted to relatively small groups, they aren't going to be as thoroughly vetted and malware can go unnoticed for quite a while.
As for the GDPR killing Gmail, that's not what I meant. They'll have to make a good few adjustments, but they'll be able to continue operating it.
What I meant is killing Google's practise of having every question of consent being ticked off with one global ToS. That is something where the GDPR is quite clear that it's not legal. You have to ask for consent for each piece of information individually (exempt is information that you actually need to operate the service) and you're in general not allowed to bury questions of consent in ToS.
