• Categories

  • Archives

    « Home

    Update: French Data Protection Agency Investigates Google’s Impending Privacy Policy Changes

    A few weeks ago, Google announced changes in its privacy policies that will affect users of its services, such as search, Gmail, Google+ and YouTube. Advocates and legislators questioned the changes, saying that there were privacy issues, and criticized (pdf) the Internet services giant for not including an opt-out provision; Google said that users who objected could stop using its services and move their data elsewhere. Google responded to the criticisms in a letter (pdf) to U.S. lawmakers and a blog post.

    Last week, 36 U.S. state attorneys general wrote to (pdf) Google raising privacy and security questions about the announced privacy policy changes. “Google’s new privacy policy is troubling for a number of reasons. On a fundamental level, the policy appears to invade consumer privacy by automatically sharing personal information consumers input into one Google product with all Google products. […] This invasion of privacy will be costly for many users to escape. […] The problem is compounded for the many federal, state, and local government agencies that have transitioned to Google Apps for Government at the encouragement of your company, and that now will need to spend taxpayer dollars determining how this change affects the security of their information and whether they need to switch to different platforms.” The attorneys general noted that they were not satisfied with the letters Google sent to Congress and others; in fact, the letters “have raised as many questions as they have answered.”

    Several weeks ago, the EU’s Article 29 Data Protection Working Party wrote to (pdf) Google about the privacy policy changes, which affect 60 Google services. The Working Party includes data protection authorities from all 27 European Union member states as well as the European Data Protection Supervisor. The Working Party asked Google to halt implementation of these changes while the data protection authority in France (the National Commission for Computing and Civil Liberties, CNIL) investigates. Now, the CNIL has written to (pdf) Google detailing preliminary findings from its investigation into the announced privacy policy changes. Because the findings suggest the company may be headed toward violations of the European Data Protection Directive, the CNIL again asks Google to halt implementation of its privacy policy changes. The CNIL’s Isabelle Falque-Pierrotin writes:

    Indeed our preliminary analysis shows that Google’s new policy does not meet the requirements of the European Directive on Data Protection (95/46/CE), especially regarding the information provided to data subjects. […]

    The fact that Google informs users about what it will not do with the data (such as sharing personal data with advertisers) is not sufficient to provide comprehensive information either. We request that Google complies with articles 10 and 11 of the Directive. To this end, Google should supplement existing information with service and purpose specific information. […]

    Morever, rather than promoting transparency, the terms of the new policy and the fact that Google claims publicly that it will combine data across services raises fears about Google’s actual practices. Our preliminary investigation shows that it is extremely difficult to know exactly which data is combined between which services for which purpose, even for trained privacy professionals. In addition, Google is using cookies (among other tools) for these combinations and in this regard, it is not clear how Google aims to comply with the principle of consent laid down in Article 5(3) of the revised ePrivacy Directive, when applicable.

    The CNIL and the EU data protection authorities are deeply concerned about the combination of personal data across services; they have strong doubts about the lawfulness and fairness of such processing, and about its compliance with European Data Protection legislation, especially with articles 6 and 7 of the Data Protection Directive.

    The CNIL says that it will soon send Google a full questionnaire about the announced privacy policy changes “as well as other related aspects of Google’s data processing activities.”

    This is the latest privacy problem for Google, which faces mounting criticism about its privacy policies.

    One Response to “Update: French Data Protection Agency Investigates Google’s Impending Privacy Policy Changes”

    1. Tweets that mention » Privacy Lives » Blog Archive » Update: French Data Protection Agency Investigates Google’s Impending Privacy Policy Changes Says:

      […] This post was mentioned on Twitter by nymphosec, privacylaw, mschirmbacher, privacyfocused, infogovgeek, sayce11, lubolo, and maltainfosec. maltainfosec said: […]

    Leave a Reply