EU Privacy Regulators Instruct Google On Reforming Its Unified Privacy Policy

Sept. 25 — More than two and a half years after Google Inc. implemented a unified privacy policy, the Article 29 Working Party Sept. 25 made public its recommendations on how the Web search giant might bring its servicewide unified privacy policy into compliance with European Union data protection requirements.

In January 2012, Mountain View, Calif.-based Google announced its plan to implement a unified privacy policy. Despite calls to Google from privacy advocates and EU data protection authorities to postpone the move, Google March 1, 2012, implemented the policy, which condensed multiple privacy policies into one, permitting the sharing of user data across various Google products.

The Art. 29 Party, which includes representatives from the EU's 28 member state data protection authorities, suggested in their recommendations that Google take several steps to move the unified policy closer to EU data protection principles, including that it “provide users with more elaborate tools to manage their personal data and to control the usage of their personal data between all Google services.”

The Art. 29 Party transmitted the list of recommendations as an attachment to a Sept. 23 letter to Google Chief Executive Officer Larry Page.

Clearer Policy Language Needed

The group said that Google should clearly tell users when it allows new entities to collect data, citing as insufficiently detailed Google's addition of “and our partners” language to its privacy policy listing “the set of entities that may collect anonymous identifiers when users visit Google services.”

The use of “we may” or “we can” should be replaced in the policy with clear information on data collection and use, such as “if you use services A and B, we will,” the recommendation document said.

Google doesn't have to include important information about how it collects and uses personal information in its terms of use policy but must include it in its privacy policy, the group said.

In addition, the Art. 29 Party said that Google's privacy policy should:

•  be immediately visible and accessible to users, “for instance visible without scrolling and accessible via one click, from each service landing page;”

•  provide clear, unambiguous and comprehensive information on the types of personal data processed and all of the purposes for which the data may processed;

•  provide contact identity and contact information “so that individuals can exercise their rights,” in particular for services that users might not understand are controlled by Google, such as YouTube; and

•  be displayed on all platforms and devices directly or through a required interface to configure it.

The group suggested that an alternative personalized privacy policy showing a user exactly how Google was collecting and using his or her information could be effective. “For example, for a user of Google Search, Gmail and Google Display Network it would be possible to present only information about those services in a dedicated tool demonstrating how the user's data are combined to deliver these services.”

The Art. 29 Party made specific notification suggestions to alert “passive users” of Google services, such as data collection Google Analytics software and DoubleClick's targeted advertising systems.

Data Retention Recommendation

The Art. 29 Party also said that Google should inform EU data protection authorities of its policies regarding retention of user data. The group and Google have long disagreed about how long the company should be allowed to hold on to user data for research and other uses.

The recommendation document said that Google should retain data in compliance with the proportionality principle.

The group also said Google should disclose to users and privacy regulators the anonymization processes it uses. It encouraged Google to assess whether its anonymization techniques comply with the Art. 29 Party's opinion on anonymization.

Legal Challenges, Fines

Google's move to a unified privacy policy has raised legal concerns both in the EU and U.S.

Spain levied a fine of 900,000 euros ($1.2 million) against Google over its privacy policy in December 2013. France followed suit with a fine of 150,000 euros ($202,015) in January.

The data protection authorities in the Netherlands and Italy also held that Google's unified privacy policy violated national privacy law.

In the U.S., users of Google's Android mobile devices have attempted to sue the company on behalf of proposed classes, alleging that the company's unified privacy policy violated its prior policies, each of which promised to use a consumer's information only for that particular Google product.

The Art. 29 recommendations, “Appendix : List of possible compliance measures,” is available at http://ec.europa.eu/justice/data-protection/article-29/documentation/other-document/files/2014/20140923_letter_on_google_privacy_policy_appendix.pdf.

The Art. 29 Party letter to Google CEO Larry Page is available at http://ec.europa.eu/justice/data-protection/article-29/documentation/other-document/files/2014/20140923_letter_on_google_privacy_policy.pdf.