Google’s Privacy Policy and EU Data Protection

February 28, 2012

Calls for Google to delay implementing its new unified privacy policy, which involves combining data it holds across many services, have been renewed. The Article 29 Working Party has released the text of a letter dated 27 February from the CNIL (the French data protection authority charged with leading the analysis of the policy changes) which states that ‘Google’s new policy does not meet the requirements of the European Directive on Data Protection’. The full text (in a pdf image) is available here.

The new policy is due to be implemented on 1 March. Google hopes to be able to use data between its services to offer a more personalised experience to users when they login to their user account.

The CNIL investigation/analysis follows an initial exchange earlier this month between the Article 29 Working Party and Google in which the Working Party’s Chair called on Google to delay implementation, expressing concern that the new policy will mean citizens will have less control over the use of their data as it will be freely transferable across services. Peter Fleischer, Google’s global privacy counsel, replied promptly, complaining that ‘we had extensively pre-briefed data protection authorities across the EU prior to the launch of our notification to users on 24 January 2012. At no stage did any EU regulator suggest that any sort of pause would be appropriate’. Moreover, he argued that the new policies did not threaten users at all and that any concerns were a product of a number of misconceptions about the new policy.

While the focus of the new objections seems to be the failure to fully explain the policy to users (which seems readily remediable), and the objections do seem to be coloured by a touch of resentment about the fact that Google consulted some data protection regulators in the EU but not others, it does seem that the concerns are more fundamental. The letter of 27 February states:

‘Moreover, rather than promoting transparency, the terms of the new policy and the fact that Google claims publicly that it will combine data across services raises fears about Google’s actual practices. Our preliminary investigations shows that it is extremely difficult to know exactly which data is being combined between which services for which purposes, even for trained privacy professionals. In addition, Google is using cookies (among other tools) for these combinations and in this regard, it is not clear how Google aims to comply with the principle of consent laid down in Article 5(3) of the revised ePrivacy Directive, when applicable.

The CNIL and the EU data protection authorities are deeply concerned about the combination of personal data across services: they have strong doubts about the lawfulness and fairness of such processing, and about its compliance with European Data Protection legislation, especially with articles 6 and 7 of the Data Protection Directive’.