Google must rethink privacy policy warn EU data regulators

By Sarah Shearman, mediaweek.co.uk, Tuesday, 16 October 2012 11:07AM

Google's controversial privacy policy has again been thrown into the spotlight, after the search giant was warned by EU data regulators that it must rethink its new privacy policy over concerns that it creates "high risks" to users.

In a letter seen by Media Week, addressed to Larry Page, chief executive of Google, the data regulators have outlined practical recommendations to ensure the search giant adheres to data protection policy in the EU.

Google introduced its new privacy policy, which consolidates more than 60 different product-related privacy policies, in March this year. Google argued it was to simplify user experience, however it was met with consumer outcry.

At that time, the French data regulator the CNIL, on behalf of all data regulators in Europe including the UK’s Information Commission Officer, launched an investigation into the compliance of Google’s new Privacy Policy with the European Data Protection legislation, saying it was "deeply concerned" about the policy, and it had "strong doubts about the lawfulness and fairness of such processing".

Google collaborated with the Working Party’s investigation, by answering two questionnaires sent by the CNIL. However the letter claimed the investigation unveiled "several legal issues" with the new policy and the combination of data.

It said: "The investigation showed that Google provides insufficient information to its users (including passive users), especially on the purposes and the categories of data 2 being processed."

In the search for simplicity, it said, internet companies should not "avoid the respect of their duties".

The investigation also confirmed the regulators’ concerns about the combination of data across services saying that Google collects vast amounts of personal data about internet users, which is not proportionate for its processes.

It said Google did not set any limits to the combination of data or provide clear tools to enable users to control it.

The letter calls on Google to modify its practises when combining data across its services. It recommends simplifying opt-out mechanisms, collect explicit user consent for the combination of data for certain purposes, limit data collected for passive users,

The letter said: "As data protection regulators, we expect that Google takes the necessary steps to improve information and clarify the combination of data, and more generally ensure compliance with data protection laws and principles. To that end, we list below our practical recommendations."

"We recognise Google’s key role in the online world. Our recommendations do not seek to limit the company’s ability to innovate and improve its products, but rather to strengthen users’ trust and control, and to ensure compliance with data protection legislations and principles."

The CNIL has just hosted a press conference about the probe. Peter Fleischer, global privacy counsel, sent out the following statement in response: "We have received the report and are reviewing it now. Our new privacy policy demonstrates our long-standing commitment to protecting our users’ information and creating great products. We are confident that our privacy notices respect European law."

Speaking to Media Week, Nick Pickles, director of privacy group Big Brother Watch, said the data regulators across Europe will have varying powers of how they can enforce Google to change its policy if it does not respond to the recommendations.

"This is the first time a multinational company could fall foul of EU data protection laws and it will be a big test for the regulators to make sure it can enforce this policy on a company outside of the EU.

"It's absolutely right that European regulators focus on ensuring people know what data is being collected and how it is being used. Unless people are aware just how much of their behaviour is being monitored and recorded it is impossible to make an informed choice about using services."

Google has been given a number of months to respond to the recommendations.

Follow @shearmans

This article was first published on mediaweek.co.uk