Google told to change its privacy policy

Google picnik.jpg

In an unprecedented move, the European Union's national data protection regulators have asked Google to make changes to its new privacy policy to protect the rights of its users.

The request was made in a formal letter sent on Tuesday (16 October) by the EU's Data Protection Authorities united within the so-called Article 29 Working Party. The letter was signed by 24 of EU's 27 data regulators plus those of Croatia and Liechtenstein.

Leading the inquiry on behalf of Europe, France's data protection watchdog – the Commission Nationale de l'Informatique et des libertés (CNIL) –  had already questioned the legality and fairness of Google's new privacy policy, introduced in March.

This consolidated 60 privacy policies into one and pooled data collected on individual users across its services, including YouTube, Gmail and its social network Google+. Users cannot opt out.

The regulators' letter said: "Combining personal data on such a large scale creates high risks to the privacy of users."

"The investigation showed that Google provides insufficient information to its users [including passive users], especially on the purposes and the categories of data being processed," the regulators wrote.

Regulators said the investigation "confirmed our concerns about the combination of data across services," saying Google's new Privacy Policy, released on 27 July, allows it to "combine almost any data from any services for any purposes".

"Google empowers itself to collect vast amounts of personal data about internet users, but Google has not demonstrated that this collection was proportionate to the purposes for which they are processed," the letter says.

"Therefore, Google should modify its practices when combining data across services for these purposes," the letter said.

Google did not immediately react.

In the past, the company has said the changes would allow it to tailor search results more accurately and improve services for consumers. Google has also said previously it is confident that its privacy policy does not run foul of European law.

In the letter, the regulators listed 12 "practical recommendations" for Google to bring its privacy policy into line. The first five cover how Google tells people about how their personal information and browsing records will be used, highlighting location data and credit card data in particular.

The regulators also want Google to spell out its intentions and methods for combining data collected from its various services. They want the web search giant to ask users for explicit consent when bundling data together, the letter said.

Online ads

The pooling of anonymous user data across Google services, is a big advantage when selling online ads.

Google and other large internet groups like Facebook provide free services to consumers and earn money from selling ads that they say are more closely targeted than traditional TV or radio campaigns.

Chris Watson, a lawyer at CMS Cameron McKenna LLP, said "Google is being very aggressive and are playing for high stakes because these [privacy policy] changes are very valuable to their advertising business."

"They may be prepared to test the legal position in Europe to see what they can get away with."

The tussle with the EU over data privacy comes at a delicate time for Google.

Europe's antitrust authorities are also examining the company's business model to see if it uses its clout in search advertising to favour its own services over competitors' offerings. Google is in talks with EU regulators on the case, and could offer concessions.

Monique Goyens, director-general of the European Consumer Organisation (BEUC), said the investigation "confirms our concerns that Google’s privacy policy sits on the wrong side of EU data protection rules".

"The purpose of Google’s privacy policy was to centralise personal data gathered from its delta of services into a single user profile. But this paid no heed to the very different contexts and reasons for which users provided such personal information," Goyens said in a statement.

"Key issues such as what type of personal data is collected, for what purpose and for how long it is retained were willfully neglected," she said reminding that these "are not just mere questions of good practice but legal obligations".

“No matter how big a company, European laws and fundamental consumer rights should not be ignored. Indeed, as a pacesetter it’s all the more important for Google to comply and be seen to do so."

In March 2011, EU Justice Commissioner Viviane Reding spelled out new privacy rules for personal data held on the Internet, including a "right to be forgotten" that would allow users to permanently delete data held by companies.

Reding's proposals would overhaul the EU's 15 year-old Data Protection Directive. Her "four pillars" include urging more transparency from companies that process personal data, making privacy the default setting on websites and ensuring that all companies that operate in the European Union follow EU data protection rules.

Data protection and privacy in electronic communications are also governed by the E-privacy Directive, which dates back to 2002.

European Commission

Business & industry

Subscribe to our newsletters