ICO Update on Google Privacy Policy

July 4, 2013

On 4 July 2013, the ICO released a statement about the action it has taken in relation to the objections raised to the Google Privacy Policy, implemented by Google back in 2012 and the subject of investigation by elements of the Article 29 Working Party since February 2012. An ICO spokesperson said:

“We have today written to Google to confirm our findings relating to the update of the company’s privacy policy. In our letter we confirm that its updated privacy policy raises serious questions about its compliance with the UK Data Protection Act.

“In particular, we believe that the updated policy does not provide sufficient information to enable UK users of Google’s services to understand how their data will be used across all of the company’s products.

“Google must now amend their privacy policy to make it more informative for individual service users. Failure to take the necessary action to improve the policies compliance with the Data Protection Act by 20 September will leave the company open to the possibility of formal enforcement action.”

We asked the ICO to release the full text of the letter but a spokesman told us:

‘While we are not in a position to release the letter at this stage, I have included a summary of our three areas of concern below.

They are similar to those already raised by the French, Spanish and other data protection authorities also investigating this issue.’

The summary is as follows:

Reasonable expectations and sufficient information 

Google must comply with the first principle and provide further information in the policy with regards to the manner in which it processes personal data.  

Specified purposes 

Google must comply with the second principle and further define and specify the purposes for which personal data is processed to allow users, regardless of their status, to understand in practice what the implications of using the services are. 

Retention of data 

Google must, in order to ensure processing is fair and in compliance with the first principle, give service users sufficient information where retention of personal data might exceed service users’ reasonable expectations.