Pro Bono Privacy Guidance for Megacorp

September 24, 2014

Picture the scene at the last plenary session of the Article 29 Working Party. Faced with no progress in their quest to get Google to agree to changes to its privacy policy so as to make it compliant with EU data protection, the assembled data protection supervisors scratch their heads and try to work out why Google is not changing its policy. Could it be that Google really does not care what they think? The very thought that anyone might not care about EU data protection policy strains their collective credulity, and besides the nice men that came to meetings said, quite emphatically, that they did really care. The answer was obvious: Google did not know what to do. It didn’t have access to the correct legal advice because the pro bono providers have concentrated solely on the poor, powerless and disenfranchised and neglected Larry Page and his colleagues. No wonder they were sending confused signals.

So the Article 29 Working Party has {written to Larry Page: http://ec.europa.eu/justice/data-protection/article-29/documentation/other-document/files/2014/20140923_letter_on_google_privacy_policy.pdf} and has offered the cumulative wisdom of the data protection supervisors to ‘guide Google in [its] compliance effort’. The Working Party has developed guidelines containing a common list of measures that it might adopt – neatly set out in an annex to the letter which can be read {here: http://ec.europa.eu/justice/data-protection/article-29/documentation/other-document/files/2014/20140923_letter_on_google_privacy_policy_appendix.pdf}.

I am sure all will be well now. With specific tailored guidance like this, Google will see clearly, the mist of ignorance having been lifted from its eyes. Here is a sample (it is just one paragraph of 20 in six pages of bespoke guidance):
{i}Google could present the privacy policy using a multi layered approach.
a. In that case the first layer should describe the general policy with enhanced information and links to service specific policies (where appropriate). The additional information on this layer should at least concern data combination for Google’s major services (Gmail, Search, Google+, YouTube, DoubleClick and Google Analytics) and where the combination of data would be reasonably unexpected. The first layer could also provide more information on some categories of data (e.g. location, financial data, unique device identifier and telephony) and has to be presented in a clear, comprehensible and efficient manner.

b. The second layer could be a service specific policy or further examples to explain how information is processed – this layer does exist for selected services.

c. The third layer could comprise the “in product notice”. Google could continue to develop, expand and improve those “in product notices” to alert users to Google’s own data processing purposes.{/i}

In the light of all this clarity, there is just one question left for the Article 29 Working Party to answer: {b}what in God’s name do you think you are doing?{/b}

While there was a time when guidance and a soft approach was appropriate, you have been complaining about this breach of EU data protection policy for 30 months not just a few weeks. I think it is safe to say that Google knows what to do. It has access to the best advice on data protection law that money can buy. And all the signs are that it is being advised not to worry because the data protection supervisors have no teeth, or are not prepared to bite with the few they have.

My pro bono advice to the Article 29 Working Party is this: You need to show that you have waited long enough and impose every one of the inadequate penalties that the current data regime allows. And you need to do it now. If you don’t, nobody will take you seriously again.

The letter to Larry Page may work. Or it may be as successful as the letters of seduction I regularly send to Beyoncé, Mila Kunis and Keira Knightley; in which case, I can only hope that Mr Page’s response is more polite than that of Ms Kunis and less likely to lead to serious internal injury.

Mr Page may turn out to be a confused redneck lost in a sophisticated European cyberworld and may be grateful for the DP etiquette lesson that the Working Party has offered pro bono. I doubt it. But if he does indeed reject this helpful guidance at least the Working Party has its {love affair with Microsoft: http://ec.europa.eu/justice/data-protection/article-29/documentation/other-document/files/2014/20140922_letter_microsoft_service_agreement.pdf} to fall back on.