Article 29 Working Party Urges Google To Reconsider Privacy Policies by Year's End

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

PARIS--French and EU data protection officials said Oct. 16 that they had sent Google Inc. a letter dated the same day urging the U.S.-based internet search giant to change its new streamlined privacy policy by the end of 2012 to fix key areas that they said fail to comply with EU data protection law.

Isabelle Falque-Pierrotin, president of the French data protection authority (CNIL), and Jacob Kohnstamm, chair of the Article 29 Working Party of data protection officials of the 27 EU member states, made their comments at a press conference that was called to present results of a six-month CNIL investigation into Google's privacy policy on behalf of the Art. 29 Party.

On March 1, Google implemented a new privacy policy that condensed 60 privacy policies into one that shares and tracks user data across Google email, social networking, YouTube, search engines, and other services.

Both the CNIL and the Art. 29 Party earlier had asked Google to delay implementation of the new privacy policy until they finished their analysis of whether the policy comported with EU data protection law, but Google declined (11 PVLR 232, 2/6/12).

The officials said, among other things, that Google's new policy inadequately informs users of how their personal data are used and does not allow users to control how their data are combined across the company's many services. The company also fails to provide retention periods for user data, as required by EU and French law, they said.

The French and EU officials released a report on their findings and recommendations. Kohnstamm, who is also the chairman of the Dutch DPA, said that, in a first, DPAs from all 27 EU member states signed the letter to Google.

In a brief statement to BNA, Google global privacy counsel Peter Fleischer acknowledged receiving the report and said the company is studying it. “Our new privacy policy shows our continued commitment to protecting the data of our users and to create quality products,” Fleischer said.

“We are confident that our privacy policies comply with European law,” Fleischer said.

Warning to Google.

Falque-Pierrotin said that neither the report nor the letter to Google constitute a deadline for the company to implement the report's recommended privacy improvements or threatens sanctions.

She warned, however, that if Google fails to implement the Art. 29 Party's recommended improvements by about the end of the year, the company could face separate regulatory actions in EU member states. “If Google does not take action to improve its privacy policy within three or four months, this investigation could enter another, more litigious phase in the individual member states,” she said.

Kohnstamm said Google should be able to report improvements to the Working Party at that group's next meeting in December. He noted that the group has no sanctioning power of its own but that the regulators in EU member states are individually able to impose fines of varying levels.

Falque-Pierrotin noted that in March 2011 the CNIL levied its highest ever fine of €100,000 ($130,459) on Google over its collection of unsecured wireless internet connection data using Street View mapping project vehicles (10 PVLR 479, 3/28/11). Kohnstamm said the Dutch DPA could potentially fine Google €1 million ($1.3 million) in its own action in that case, if the company fails to implement changes that it ordered (10 PVLR 624, 4/25/11).

“These are probably still small amounts of money for a company like Google, so I think the bad public relations that come with a fine for failure to comply with EU data protection rules will have more of an impact,” Kohnstamm said.

'Excessive' Combination of Data.

Following Google's announcement of the new policy in January, the Working Party asked the CNIL to investigate its compliance with EU data protection law. The French authority issued a preliminary conclusion in February that the Google changes did not meet requirements under the EU Data Protection Directive (95/46/EC) (11 PVLR 426, 3/5/12).

Both the CNIL and the Working Party asked Google to halt implementation of the policy until they completed their investigation, but the Mountain View, Calif.-based company declined and launched it in March.

In its investigation, the CNIL sent Fleischer 69 questions in March (11 PVLR 552, 3/26/12), as well as follow-up questions in May (11 PVLR 905, 6/4/12). Presenting the CNIL's final report, Falque-Pierrotin said the authority's analysis of Google's policies left it with doubts that the company respects key EU data protection principles of purpose limitation, data minimization, proportionality, and the right to object.

She said that, for example, Google's policy does not give users enough information about how data are used, and that the policy implies that basic search data and sensitive data such as credit card information, biometric, and location data could all be treated the same. “These policies can also affect users that are not Google subscribers,” and these users are not notified, she said.

Falque-Pierrotin said the investigation found that the policy allows “excessive, uncontrolled combination of user's personal data.”

“I am sorry that Google did not want to wait to launch this policy. Considering the findings of [this report,] that would have been much more preferable,” Kohnstamm said.

Recommendations.

Among the report's recommendations, it said Google should provide clearer and more comprehensive information about collected data and how it uses that data to develop and improve services. For example, it recommended implementing a presentation with three levels of detail, “to ensure that information complies with requirements in the [EU Privacy] directive and does not degrade the users' experience.”

Google should improve the “ergonomics” of its policy, for example with interactive presentations, the report said.

The report said Google does not provide user control over combination and cross-referencing of user data across its many services and the Android operating system, as well third-party websites that use Google services.

For example, if a user just consults a website that has a +1 button, that information is recorded and stored at least 18 months and can be associated with the use of a Google service, Falque-Pierrotin said. She said data gathered by a DoubleClick cookie are tagged with an identifying number that remains valid for two years and is renewable.

The report recommends that Google modify its practices for combining data across services, by reinforcing user consent to data combination, such as by giving users a choice of buttons to decide when to allow combinations of their data.

Falque-Pierrotin said the CNIL analysis showed that it takes Google subscribers six separate actions to opt out of data combination, while nonsubscribers have to take four actions to do so. The report recommends making these processes simpler and allowing users to choose the services on which their data can be combined.

“Cookies have an important role to play [in the development of the internet]. We are not opposed in theory to combination[s] of data or to innovation, but it has to be done on a legal basis that respects privacy,” Falque-Pierrotin said.

The officials also urged Google to provide retention periods for data, which they said Google currently does not do.

Reaction of Non-EU DPAs.

The officials said DPAs from the Asia Pacific Privacy Authorities, including Australia and Hong Kong, and Canada's Federal Privacy Commissioner expressed support for some of the report's recommendations.

Canadian Privacy Commissioner Jennifer Stoddart clarified in a letter to Falque-Pierrotin, released Oct. 16 and dated Oct. 11, that she could not endorse the Art. 29 Party's “specific recommendations” given the Art. 29 Party's and the Canada's different approaches to the matter. “That said, I share your concerns with respect to Google policy of combining data, as well as its data retention and transparency practices generally,” Stoddart said.

In February, Stoddart sent a letter to Google asking the company to clarify its data retention and disposal policies and practices, clearly explain to users how they can exercise their privacy preferences, and explain why linking user personal information is a condition for using certain features on Android phones (11 PVLR 419, 3/5/12). In March she raised a second round of questions concerning the policy (11 PVLR 526, 3/19/12).

By Rick Mitchell  


The Oct. 16 letter to Google is available at http://www.cnil.fr/fileadmin/documents/en/20121016-letter_google-article_29-FINAL.pdf.

The report, “Google Privacy Policy: Main Findings and Recommendations,” is available at http://www.cnil.fr/fileadmin/documents/en/GOOGLE_PRIVACY_POLICY-_RECOMMENDATIONS-FINAL-EN.pdf.

Full text of the Privacy Commissioner of Canada's letter is available at http://op.bna.com/pl.nsf/r?Open=kjon-8z5sjv.