CONTINUEThis site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.
  1. Front Page
  2. News By Topic
  3. EU Regulators Tell Google To Revise Its Privacy Policy

EU Regulators Tell Google To Revise Its Privacy Policy

by Ulrika Lomas,

18 October 2012

After several months of investigation, the European Union’s Article 29 Data Protection Working Party, led by the French data privacy regulator CNIL, has informed the internet company Google that it should change its new privacy policy to protect the personal data of European citizens.

In a letter to Google, the European regulators are recommending that, in particular, Google should provide clearer information to users and offer them improved control over the combination of data across its numerous services. Furthermore, they want Google to modify the tools it uses to avoid excessive collection of data.

Despite the concern expressed in preliminary findings by CNIL and a call by the Working Party for a pause to its implementation, Google went ahead with the application of its new privacy policy from March 1, 2012. It has gotten rid of over 60 different privacy policies across its products and replaced them with one that covers multiple products and features.

At the time, Google confirmed that its privacy principles remained unchanged, stating that: “Our goal is to provide you with as much transparency and choice as possible, through products like Google Dashboard (which summarizes the data associated with each product used, and provides links to control personal settings) and Ads Preferences Manager alongside other tools.” It re-confirmed that it would never sell personal information, or share it, without a person’s prior permission.

After the new policy’s implementation, the CNIL sent two successive questionnaires to Google. The company, it was said, replied on April 20 and June 21, but several answers were incomplete or approximate. In particular, Google did not provide satisfactory answers on key issues such as the description of its personal data processing operations or the precise list of the 60+ product-specific privacy policies that have been merged in the new policy.

The analysis of Google's answers and the examination of numerous documents and technical mechanisms by CNIL's experts have, therefore, led the EU data protection authorities to draw their conclusions, and the letter sent to the company on October 16 from the Working Party makes several recommendations.

Firstly, the letter states that it is not possible to ascertain from the analysis that Google respects the key data protection principles of purpose limitation, data quality, data minimization, proportionality and right to object. As the Working Party believes that the new privacy policy suggests the absence of any limit concerning the scope of the collection and the potential uses of the personal data, Google is challenged to commit publicly to these principles.

In addition, under the policy, it is considered that a Google service's user is unable to determine which categories of personal data are processed for this service, and the exact purposes for which these data are processed.

Google is asked to provide clearer and more comprehensive information about the collected data and purposes of each of its personal data processing operations. For instance, the Working Party recommends the implementation of a presentation with three levels of detail to ensure that information complies with the requirements laid down in the European Data Protection Directive.

Google is also accused of not providing user control over the combination of data across its numerous services, as, in practice, any online activity related to Google (use of its services, of its system Android or consultation of third-party websites using Google's services) can be gathered and combined, and that CNIL’s investigation also showed that the combination of data is extremely broad in terms of scope and age of the data.

It is pointed out that the EU Data Protection Directive provides a precise framework for personal data processing operations, that Google must have a legal basis to perform the combination of data of each of these purposes, and that data collection must also remain proportionate to the purposes pursued. Google has also refused to provide retention periods for the personal data it processes.

The Working Party therefore requests Google to modify its practices when combining data across services. It should, for example, reinforce users' consent to the combination of data for the purposes of service improvements, development of new services, advertising and analytics. This could be realized by giving users the opportunity to choose when their data are combined.

It should offer an improved control over the combination of data by simplifying and centralizing the right to object (opt-out) and by allowing users to choose for which service their data are combined, and adapt the tools used for the combination of data so that it remains limited to the authorized purposes. The tools used for security could, for example, be differentiated from those used for advertising.

The letter, signed by all 27 European data protection authorities, has been sent to Google “to allow the company to upgrade its privacy policy practices”.

It is also pointed out that several of the European recommendations are supported by members of the Asia Pacific Privacy Authorities and Canada's Privacy Commissioner has had similar concerns about various Google activities. The United States Federal Trade Commission has also had cause to investigate Google’s privacy programme, and a settlement in the US requires Google to undergo regular, independent privacy audits for the next 20 years.

TAGS: individuals | compliance | business | commerce | law | enforcement | internet | e-commerce | standards | regulation | European Union (EU) | services | Europe

To see today's news, click here.


Tax-News Reviews

Cyprus Review

A review and forecast of Cyprus's international business, legal and investment climate.

Visit Cyprus Review »

Malta Review

A review and forecast of Malta's international business, legal and investment climate.

Visit Malta Review »

Jersey Review

A review and forecast of Jersey's international business, legal and investment climate.

Visit Jersey Review »

Budget Review

A review of the latest budget news and government financial statements from around the world.

Visit Budget Review »

Stay Updated

Please enter your email address to join the mailing list. View previous newsletters.

By subscribing to our newsletter service, you agree to our Terms and Conditions and Privacy Policy.

To manage your mailing list preferences, please click here »