Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
The officials said, among other things, that Google's new policy inadequately informs users of how their personal data are used and does not allow users to control how their data are combined across the company's many services. The company also fails to provide retention periods for user data, as required by EU and French law, they said.
The French and EU officials released a report on their findings and recommendations. Kohnstamm, who is also the chairman of the Dutch DPA, said that, in a first, DPAs from all 27 EU member states signed the letter to Google.
“We are confident that our privacy policies comply with European law,” Fleischer said.
Falque-Pierrotin said that neither the report nor the letter to Google constitute a deadline for the company to implement the report's recommended privacy improvements or threatens sanctions.
Kohnstamm said Google should be able to report improvements to the Working Party at that group's next meeting in December. He noted that the group has no sanctioning power of its own but that the regulators in EU member states are individually able to impose fines of varying levels.
Falque-Pierrotin noted that in March 2011 the CNIL levied its highest ever fine of €100,000 ($130,459) on Google over its collection of unsecured wireless internet connection data using Street View mapping project vehicles (10 PVLR 479, 3/28/11). Kohnstamm said the Dutch DPA could potentially fine Google €1 million ($1.3 million) in its own action in that case, if the company fails to implement changes that it ordered (10 PVLR 624, 4/25/11).
“These are probably still small amounts of money for a company like Google, so I think the bad public relations that come with a fine for failure to comply with EU data protection rules will have more of an impact,” Kohnstamm said.
Following Google's announcement of the new policy in January, the Working Party asked the CNIL to investigate its compliance with EU data protection law. The French authority issued a preliminary conclusion in February that the Google changes did not meet requirements under the EU Data Protection Directive (95/46/EC) (11 PVLR 426, 3/5/12).
Both the CNIL and the Working Party asked Google to halt implementation of the policy until they completed their investigation, but the Mountain View, Calif.-based company declined and launched it in March.
In its investigation, the CNIL sent Fleischer 69 questions in March (11 PVLR 552, 3/26/12), as well as follow-up questions in May (11 PVLR 905, 6/4/12). Presenting the CNIL's final report, Falque-Pierrotin said the authority's analysis of Google's policies left it with doubts that the company respects key EU data protection principles of purpose limitation, data minimization, proportionality, and the right to object.
She said that, for example, Google's policy does not give users enough information about how data are used, and that the policy implies that basic search data and sensitive data such as credit card information, biometric, and location data could all be treated the same. “These policies can also affect users that are not Google subscribers,” and these users are not notified, she said.
Falque-Pierrotin said the investigation found that the policy allows “excessive, uncontrolled combination of user's personal data.”
“I am sorry that Google did not want to wait to launch this policy. Considering the findings of [this report,] that would have been much more preferable,” Kohnstamm said.
Among the report's recommendations, it said Google should provide clearer and more comprehensive information about collected data and how it uses that data to develop and improve services. For example, it recommended implementing a presentation with three levels of detail, “to ensure that information complies with requirements in the [EU Privacy] directive and does not degrade the users' experience.”
Google should improve the “ergonomics” of its policy, for example with interactive presentations, the report said.
The report said Google does not provide user control over combination and cross-referencing of user data across its many services and the Android operating system, as well third-party websites that use Google services.
For example, if a user just consults a website that has a +1 button, that information is recorded and stored at least 18 months and can be associated with the use of a Google service, Falque-Pierrotin said. She said data gathered by a DoubleClick cookie are tagged with an identifying number that remains valid for two years and is renewable.
The report recommends that Google modify its practices for combining data across services, by reinforcing user consent to data combination, such as by giving users a choice of buttons to decide when to allow combinations of their data.
Falque-Pierrotin said the CNIL analysis showed that it takes Google subscribers six separate actions to opt out of data combination, while nonsubscribers have to take four actions to do so. The report recommends making these processes simpler and allowing users to choose the services on which their data can be combined.
“Cookies have an important role to play [in the development of the internet]. We are not opposed in theory to combination[s] of data or to innovation, but it has to be done on a legal basis that respects privacy,” Falque-Pierrotin said.
The officials also urged Google to provide retention periods for data, which they said Google currently does not do.
The officials said DPAs from the Asia Pacific Privacy Authorities, including Australia and Hong Kong, and Canada's Federal Privacy Commissioner expressed support for some of the report's recommendations.
Canadian Privacy Commissioner Jennifer Stoddart clarified in a letter to Falque-Pierrotin, released Oct. 16 and dated Oct. 11, that she could not endorse the Art. 29 Party's “specific recommendations” given the Art. 29 Party's and the Canada's different approaches to the matter. “That said, I share your concerns with respect to Google policy of combining data, as well as its data retention and transparency practices generally,” Stoddart said.
In February, Stoddart sent a letter to Google asking the company to clarify its data retention and disposal policies and practices, clearly explain to users how they can exercise their privacy preferences, and explain why linking user personal information is a condition for using certain features on Android phones (11 PVLR 419, 3/5/12). In March she raised a second round of questions concerning the policy (11 PVLR 526, 3/19/12).
By Rick Mitchell
The Oct. 16 letter to Google is available at http://www.cnil.fr/fileadmin/documents/en/20121016-letter_google-article_29-FINAL.pdf.
Full text of the Privacy Commissioner of Canada's letter is available at http://op.bna.com/pl.nsf/r?Open=kjon-8z5sjv.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to email@example.com.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to firstname.lastname@example.org.
Put me on standing order
Notify me when new releases are available (no standing order will be created)