A few weeks ago, Google announced changes in its privacy policies that will affect users of its services, such as search, Gmail, Google+ and YouTube. Advocates and legislators questioned the changes, saying that there were privacy issues, and criticized (pdf) the Internet services giant for not including an opt-out provision; Google said that users who objected could stop using its services and move their data elsewhere. Google responded to the criticisms in a letter (pdf) to U.S. lawmakers and a blog post.
Indeed our preliminary analysis shows that Google’s new policy does not meet the requirements of the European Directive on Data Protection (95/46/CE), especially regarding the information provided to data subjects. […]
The fact that Google informs users about what it will not do with the data (such as sharing personal data with advertisers) is not sufficient to provide comprehensive information either. We request that Google complies with articles 10 and 11 of the Directive. To this end, Google should supplement existing information with service and purpose specific information. […]
Morever, rather than promoting transparency, the terms of the new policy and the fact that Google claims publicly that it will combine data across services raises fears about Google’s actual practices. Our preliminary investigation shows that it is extremely difficult to know exactly which data is combined between which services for which purpose, even for trained privacy professionals. In addition, Google is using cookies (among other tools) for these combinations and in this regard, it is not clear how Google aims to comply with the principle of consent laid down in Article 5(3) of the revised ePrivacy Directive, when applicable.
The CNIL and the EU data protection authorities are deeply concerned about the combination of personal data across services; they have strong doubts about the lawfulness and fairness of such processing, and about its compliance with European Data Protection legislation, especially with articles 6 and 7 of the Data Protection Directive.
This is the latest privacy problem for Google, which faces mounting criticism about its privacy policies.