After several months of investigation, led by the CNIL (the French data protection authority), into the Google Privacy Policy that came into force on 1 March, the EU data protection authorities have published their common findings. They recommend that clearer information is given to users and ask Google to offer users improved control over the way in which data across its numerous services is combined. They also want Google to modify the tools it uses to avoid an excessive collection of data.
The full letter can be accessed here. The crucial appendix can be found here.
Background
On 24 January, Google announced that it would be updating its privacy policy and terms of service for almost all of its services on 1 March 2012. Given the numerous issues arising from these changes, the Article 29 Working Party mandated the CNIL to lead the investigation into Google’s new privacy policy. Two successive questionnaires were sent to Google. The company replied on 20 April and 21 June, but several answers were incomplete or ‘approximate’. In particular, CNIL did not consider that Google had provided satisfactory answers on key issues such as the description of its personal data processing operations or the precise list of the 60+ product-specific privacy policies that have been merged in the new policy.
Analysis and a challenge
The analysis of Google’s answers and the examination of numerous documents and technical mechanisms by CNIL’s experts have led EU data protection authorities to draw their conclusions and make recommendations to Google.
Despite the extensive analysis, the report indicates that it has not been possible to ascertain whether Google respects the key data protection principles of purpose limitation, data quality, data minimization, proportionality and right to object. Indeed, it is said that the Privacy Policy suggests the absence of any limit concerning the scope of the collection and the potential uses of the personal data. The EU data protection authorities therefore challenge Google to commit publicly to these principles.
Information notices
Google provides insufficient information to its users on its personal data processing operations. Under the current Policy, a Google service’s user is unable to determine which categories of personal data are processed for this service, and the exact purposes for which these data are processed. For example, the Privacy Policy makes no distinction in terms of processing between the innocuous content of a search query and the credit card number or the telephone communications of the user; all these data can be used equally for all the purposes in the Policy. Moreover, passive users (ie those that interact with some of Google’s services like advertising or ‘+1’ buttons on third-party web sites) have no information at all.
The EU data protection authorities remind Google and Internet companies in general that shorter privacy notices do not justify a reduction of information delivered to the data subjects.
The EU data protection authorities ask Google to provide clearer and more comprehensive information about the collected data and purposes of each of its personal data processing operations. For instance, it is recommended that Google implement a presentation with three levels of detail to ensure that information complies with the requirements laid down in the Directive and does not degrade the users’ experience. The ergonomics of the Policy could also be improved with interactive presentations.
Combination of data
As to Google’s alleged failure to provide user control over the combination of data across its numerous services, the findings indicate that the combination of data across services has been generalized in the new Privacy Policy: in practice, any online activity related to Google (use of its services, of its system Android or consultation of third-party web sites using Google’s services) can be gathered and combined.
The EU data protection authorities note that this combination pursues different purposes, such as the provision of a service requested by the user, product development, security, advertising, the creation of the Google account or academic research. The investigation also showed that the combination of data is extremely broad in terms of scope and age of the data. For example, the mere consultation of a web site including a ‘+1’ button is recorded and kept for at least 18 months and can be associated with the uses of Google’s services; data collected with the DoubleClick cookie are associated with an identifying number which is valid for two years and is renewable.
The report into the Google Policy observes that European data protection legislation provides a precise framework for personal data processing operations and that Google must have a legal basis to perform the combination of data for each of the identified purposes. Moreover, data collection must also remain proportionate to the purposes pursued. However, the report considers that, for some of these purposes (including advertising), the processing does not rely on consent, on Google’s legitimate interests, or on the performance of a contract. Google should therefore modify its practices when combining data across services for these purposes, including:
· reinforcing users’ consent to the combination of data for the purposes of service improvements, development of new services, advertising and analytics – this could be realized by giving users the opportunity to choose when their data is combined, for instance with dedicated buttons in the services’ (cf. button “Search Plus Your World”) ;
· offering improved control over the combination of data by simplifying and centralizing the right to object (opt-out) and by allowing users to choose for which service their data is combined;
· adapting the tools used by Google for the combination of data so that it remains limited to the authorized purposes, eg by differentiating the tools used for security and those used for advertising.
Retention periods
Google refused to provide retention periods for the personal data it processes.
Next steps
The recommendations of the EU data protection authorities have been sent to Google to allow the company to upgrade its Privacy Policy practices. This letter is individually signed by 27 European Data protection authorities for the first time and it is regarded by them as a significant step forward in the mobilization of European authorities. Several of the recommendations are also supported by members of APPA (Asia Pacific Privacy Authorities) and Canada’s federal Privacy Commissioner has had similar concerns about various Google activities.
The CNIL says that they, all the authorities in the Working Party and data protection authorities from other regions of the world expect Google to take effective and public measures to comply quickly and commit itself to the implementation of these recommendations.