• Categories

  • Archives

    « Home

    Update: European Regulators Announce Legal Issues with Google’s Privacy Policies

    To recap: In January, Google announced changes in its privacy policies that would affect users of its services, such as search, Gmail, Google+ and YouTube. Advocates and legislators questioned the changes, saying that there were privacy issues, and criticized (pdf) the Internet services giant for not including an opt-out provision. The critics included 36 U.S. state attorneys general, who wrote to (pdf) Google raising privacy and security questions about the announced privacy policy changes. The EU’s Article 29 Data Protection Working Party wrote to (pdf) Google about the privacy policy changes, which affect 60 Google services. The Working Party, which includes data protection authorities from all 27 European Union member states as well as the European Data Protection Supervisor, asked Google to halt implementation of these changes while the data protection authority in France (the National Commission for Computing and Civil Liberties, CNIL) investigates. Google refused and its new privacy policies went into effect in March. The CNIL investigation has continued, with Google answering two questionnaires  about its privacy policies from the authority.

    Now, the CNIL has written (CNIL pdf; archive pdf) to Google to announce findings (CNIL pdf; archive pdf) from its investigation and recommendations for changes from the Internet services giant. The authority says that there are issues with Google’s privacy policies and it may violate European data-protection laws. In the letter, the authority says: “In particular, Google’s answers have not demonstrated that your company endorses the keydata protection principles of purpose limitation, data quality, data minimization, proportionality and right to object. Indeed, the Privacy policy suggests the absence of any limit concerning the scope of the collection and the potential uses of the personal data. We challenge you to commit publicly to these principles.

    The authority also notes:

    Additionally, the investigation unveiled several legal issues with the new privacy policy and the combination of data.

    Firstly, the investigation showed that Google provides insufficient information to its users (including passive users), especially on the purposes and the categories of data being processed. As a result, a Google user is unable to determine which categories of data are processed in the service he uses, and for which purpose these data are processed. Internet companies should not develop privacy notices that are too complex, law-oriented or excessively long. However, the search for simplicity should not lead internet companies to avoid the respect of their duties. We require from all large and global companies that they detail and differentiate their processing operations.

    Secondly, the investigation confirmed our concerns about the combination of data across services. The new Privacy Policy allows Google to combine almost any data from any services for any purposes. Combination of data, like any other processing of personal data, requires an appropriate legal ground and should not be incompatible with the purpose for which these data were collected. For some of the purposes related to the combination of data and which are further elaborated in the appendix, Google does not collect the unambiguous consent of the user, the protection of the individual’s fundamental rights and freedoms overrides Google’s legitimate interests to collect such a large database, and no contract justifies this large combination of data. Google empowers itself to collect vast amounts of personal data about internet users, but Google has not demonstrated that this collection was proportionate to the purposes for which they are processed. Moreover, Google did not set any limits to the combination of data nor provide clear and comprehensive tools allowing its users to control it. Combining personal data on such a large scale creates high risks to the privacy of users. Therefore, Google should modify its practices when combining data across services for these purposes. […]

    Finally, Google failed to provide retention periods for the personal data it processes.

    In a statement reported by the New York Times, Jacob Kohnstamm, head of the Dutch data protection authority and a signatory to the CNIL letter to Google, “said national regulators probably would take legal action to compel changes. ‘After all, enforcement is the name of the game,’ Mr. Kohnstamm said.” The New York Times also reported: “Google said in a statement that it believed that what it calls its privacy policy was legal.”

    Read the full documents from the CNIL for more on the legal issues and its recommendations to Google.

    Leave a Reply