We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
Google asked by European privacy authorities to tweak March policy change

Google asked by European privacy authorities to tweak March policy change

But they set no firm deadline for making the changes, nor threatened firm action if it does not respond

Article comments

European privacy authorities have asked Google to tweak the unified privacy policy it introduced on 1 March, but have stopped short of asking it to undo all its changes. They set no firm deadline for Google to make the tweaks, and will leave it to national data protection authorities to decide whether to take regulatory or legal action. 

Google should provide users with more information about its policies, stop combining information from different sources when it is not legally justified, and guarantee to delete personal data after set periods, the authorities told Google on Tuesday in a formal letter to CEO Larry Page signed by the members of the Article 29 Working Party (A29WP), which brings together data protection authorities from across the European Union.

acob Kohnstamm, chairman of the Article 29 Working Party, and Isabelle Falque-Pierrotin, president of the French National Commission on Computing and Liberty (CNIL), announcing the results of their investigation of Google's privacy policies in Paris

In February, the authorities wrote to Google asking it to delay introduction of the policy, warning that it appeared to breach European privacy laws. Google refused, prompting the A29WP to ask the French National Commission on Computing and Liberty (CNIL) to conduct a full investigation. 

"I regret that Google did not want to wait. It would have been much better otherwise for the privacy of hundreds of millions of users of Google's services," said Jacob Kohnstamm, chairman of the A29WP and also head of the Dutch data protection authority, at a news conference in Paris.

Google didn't cooperate fully with the investigation, said CNIL president Isabelle Falque-Pierrotin. Despite being sent detailed questionnaires about its policies, it replied with examples and not precise statements.

In the March policy changes, Google combined many different privacy policies in one, and said it may use information from many different sources to modify the behavior of any its services. 

Explicit consent is required for advertising, analytics

European privacy law allows such combination of data in certain cases, including where the user requests it, for security, for the provision of a Google account and for academic research.

However, there are four cases in which explicit consent is required from the service user, said Falque-Pierrotin, including product development, advertising and analytics. Google should seek that consent from its users before combining data to those ends, and also provide them with a way to opt out, Falque-Pierrotin said.

The company should also explain more clearly what data it stores, and for how long, she said.

The members of the A29WP only sent their letter to Page on Tuesday, but they had already presented their recommendations to Google on 19 September, she said.

Those recommendations include ensuring that it complies with Article 5(3) of the European ePrivacy Directive, the so-called Cookie Directive; rolling out to all countries the version of Google Analytics designed to meet German privacy laws, and simplifying opt-out procedures and making them all accessible from a single page.

Even for users not logged in to a Google service, there are four different places they must opt out of Google advertising data collection, said Gwendal Le Grand, head of CNIL's technical advisory team. "If you want to opt out today, it's very long and it's not easy to find how to do it.

Although the members of the A29WP set no firm deadline for Google to take action, Falque-Pierrotin said she expected Google to make a commitment to change its policy within three or four months. If it did not, then she expected that a number of national data protection authorities would take action.

Financial sanctions do not make much difference

The financial sanctions that Google faces are tiny. In a recent case involving the illegal collection of Wi-Fi data by Google's Street View cars, CNIL fined the company €100,000 (£16,000). Google reported a net profit of £1.73 billion ($2.79 billion) for the second quarter, on revenue of £7.59 billion ($12.21 billion). 

"It's not the size of the fine that's important," said Falque-Pierrotin. She is counting on the bad publicity that will result if Google does not change its ways.

The A29WP's action had also received the support of data protection authorities in other countries, including Australia, Canada, Mexico and Hong Kong. 

Things are a little different in the US, said Kohnstamm: the Federal Trade Commission there is already taking its own action against Google.

However, he said, he expects the concerted action of all the other data protection authorities to send a clear message to Google - and to other big Internet companies - that they are serious in their demands, and that privacy protection is something on which companies can compete to win customers.

Share:

Comments

Advertisement
Advertisement
Send to a friend

Email this article to a friend or colleague:


PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.


ComputerworldUK Knowledge Vault

ComputerworldUK
Share
x
Open
* *