Google under pressure to change privacy policy
Privacy & Security Posted on October 18, 2012
Google’s new privacy policy may be in breach of EU law according to 30 European data protection commissioners.
The EU has sent a public letter to Google saying its new privacy policy could be collecting too much data on users and holding that data for too long. Regulators say it’s unlcear what Google new privacy policy even is and that it fails to take user privacy seriously at all.
“Google’s answers have not demonstrated that your company endorses the key data protection principles of purpose limitation, data quality, data minimization, proportionality and right to object,” reads the letter. “Indeed, the Privacy policy suggests the absence of any limit concerning the scope of the collection and the potential uses of the personal data. We challenge you to commit publicly to these principles.”
With great power…
The commissioners pointed specifically to Google’s storing of cookies and data for between 18 months and two years as possibly being in breach of data protection laws. The French data protection authority – CNIL - has now requested Google provide users with more detailed control over their personal data. This involves splitting up data controls between different Google services, such as Gmail, YouTube and Google+, rather than lumping them all in together, which is exactly what Google’s new privacy policy – introduced in March – set out to achieve.
The EU paints a worrying picture of Google’s increasing access to personal data from across numerous services. According to the CNIL, visits to sites that display a ‘1+’ Google+ button will be stored for at least 18 months, while data collected via DoubleClick ad cookies is stored for two years and can be renewed without consent. The EU said such power and control over user data must be used responsibly.
"The new Privacy Policy allows Google to combine almost any data from any services for any purposes. Combination of data, like any other processing of personal data, requires an appropriate legal ground and should not be incompatible with the purpose for which these data were collected. For some of the purposes related to the combination of data and which are further elaborated in the appendix, Google does not collect the unambiguous consent of the user, the protection of the individual's fundamental rights and freedoms overrides Google's legitimate interests to collect such a large database, and no contract justifies this large combination of data. Google empowers itself to collect vast amounts of personal data about internet users, but Google has not demonstrated that this collection was proportionate to the purposes for which they are processed. Moreover, Google did not set any limits to the combination of data nor provide clear and comprehensive tools allowing its users to control it."
Google retaliates
Yesterday Google co-founder Larry Page went on the offensive, rebutting the EU’s claims. Page said it was “sad” that regulators are trying to restrict types of online data collection and that certain Google products would not have been possible with data collection. The co-founder used the example of a potential Android feature that could prevent your phone from interrupting you during a scheduled meeting.
“That’s almost a trivial thing to know,” said Page. “But for us, solving that problem requires changing our privacy policy, which we’ve now done,” he said. “And now you’ll see those kinds of things roll out.”
But according to a New York Times source, Google execs “breathed a sigh of relief” at the EU response, as it expected the regulators to implement a much harsher penalty, such as fines and concrete charges that Google broke the law. As it stands the EU is giving Google a loose timeframe of 4 months to change its policy and explain more clearly what exactly it does with the data it collects.
“Google bought some time,” said Mark Rotenberg, president of the Electronic Privacy Information Center, adding that the message from European authorities was: “We’ve been through this before, with companies like Facebook, and they responded. If you choose not to respond, you do so at your own risk.”
No stranger…
Of course, Google is no stranger to breaking the law and violating user privacy. As we outlined a couple of months ago, Google has consistently shown complete disregard for user privacy, to the point where it even lied to the FTC about data collection via StreetView, earning itself the biggest fine the regulator has ever imposed. While the EU has made strong criticisms of Google new privacy policy, much of the requests outlined by the CNIL are posed as requests, rather than orders. Such requests are likely to be ignored, or fought against, if we take Google’s past behavior into account. But as data protection lawyer Marc Dautlich told The Guardian, Google may be playing with fire.
“If Google’s get-out is that it’s only being told ‘should’ rather than ‘must’, then it becomes a question of trust,” said Dautlich. “How does a company purport to be transparent and trusted if they’re put to the test and use a legal nicety to avoid it?”
Google is not invulnerable. The more a company proves itself untrustworthy, the more dangerous the PR fallout when things eventually go wrong.
Suggest an edit on GitHub.