EU Regulators Urge Google to Modify Privacy Policy
The EU privacy regulators are not satisfied with Google's consolidated privacy policies, recommend clearer information of the users and ask Google to offer the persons improved control over the combination of data across its numerous services.
Google has four months to make its privacy policy comply with requests from European Union data protection watchdogs.
After several months of investigation led by the France's Commission Nationale de l'Informatique (CNIL) and EU regulators into Google's new 'Privacy Policy' that came into force on March 1, the regulators are not satisfied with Google's answers and described them as "incomplete" or "approximate."
Regulators claim that Google's responses to letters sent to the company did not provide satisfactory answers on key issues such as the description of its personal data processing operations or the precise list of the 60+ product-specific privacy policies that have been merged in the new policy.
The analysis of Google's answers have led EU Data protection authorities to draw their conclusions and make recommendations to Google.
Regulators found that Google's Privacy policy suggests the absence of any limit concerning the scope of the collection and the potential uses of the personal data.
"Under the current Policy, a Google service's user is unable to determine which categories of personal data are processed for this service, and the exact purposes for which these data are processed," CNIL said in a statement. "Moreover, passive users (i.e. those that interact with some of Google's services like advertising or '+1' buttons on third-party websites) have no information at all."
EU Data protection authorities ask Google to provide clearer and more comprehensive information about the collected data and purposes of each of its personal data processing operations.
Combination of data across services has been generalized with the new 'Privacy Policy': in practice, any online activity related to Google (use of its services, of its system Android or consultation of third-party websites using Google's services) can be gathered and combined.
The European regulators note that by combining users' data across services, Google pursues different purposes such as the provision of a service requested by the user, product development, security, advertising, the creation of the Google account or academic research. The investigation also showed that the combination of data is extremely broad in terms of scope and age of the data.
"Google must have a legal basis to perform the combination of data of each of these purposes and data collection must also remain proportionate to the purposes pursued. However, for some of these purposes including advertising, the processing does not rely on consent, on Google's legitimate interests, nor on the performance of a contract," regulators say.
Regulators ask Google to modify its practices when combining data across services for these purposes, by giving users the opportunity to choose when their data are combined, offer an improved control over the combination of data by simplifying and centralizing the right to object (opt-out) and by allowing users to choose for which service their data are combined. Google should also adapt its tools used for the combination of data so that it remains limited to the authorized purposes, e.g. by differentiating the tools used for security and those used for advertising.
Google has also refused to provide retention periods for the personal data it processes.
The recommendations of the EU Data protection authorities have been sent to Google to allow the company to upgrade its Privacy Policy practices. This letter is individually signed by 27 European Data protection authorities for the first time and it is a significant step forward in the mobilization of European authorities.
Peter Fleischer, Google's global privacy counsel issued the following statement: "We have received the report and are reviewing it now. Our new privacy policy demonstrates our long-standing commitment to protecting our users' information and creating great products. We are confident that our privacy notices respect European law."
Online reports also suggest that the US Federal Trade Commission (FTC) is considering its own investigation into whether Google and others have complied with guidelines for the disclosure of information about how paid advertisements appear in search results and whether the rules should be updated.
After several months of investigation led by the France's Commission Nationale de l'Informatique (CNIL) and EU regulators into Google's new 'Privacy Policy' that came into force on March 1, the regulators are not satisfied with Google's answers and described them as "incomplete" or "approximate."
Regulators claim that Google's responses to letters sent to the company did not provide satisfactory answers on key issues such as the description of its personal data processing operations or the precise list of the 60+ product-specific privacy policies that have been merged in the new policy.
The analysis of Google's answers have led EU Data protection authorities to draw their conclusions and make recommendations to Google.
Regulators found that Google's Privacy policy suggests the absence of any limit concerning the scope of the collection and the potential uses of the personal data.
"Under the current Policy, a Google service's user is unable to determine which categories of personal data are processed for this service, and the exact purposes for which these data are processed," CNIL said in a statement. "Moreover, passive users (i.e. those that interact with some of Google's services like advertising or '+1' buttons on third-party websites) have no information at all."
EU Data protection authorities ask Google to provide clearer and more comprehensive information about the collected data and purposes of each of its personal data processing operations.
Combination of data across services has been generalized with the new 'Privacy Policy': in practice, any online activity related to Google (use of its services, of its system Android or consultation of third-party websites using Google's services) can be gathered and combined.
The European regulators note that by combining users' data across services, Google pursues different purposes such as the provision of a service requested by the user, product development, security, advertising, the creation of the Google account or academic research. The investigation also showed that the combination of data is extremely broad in terms of scope and age of the data.
"Google must have a legal basis to perform the combination of data of each of these purposes and data collection must also remain proportionate to the purposes pursued. However, for some of these purposes including advertising, the processing does not rely on consent, on Google's legitimate interests, nor on the performance of a contract," regulators say.
Regulators ask Google to modify its practices when combining data across services for these purposes, by giving users the opportunity to choose when their data are combined, offer an improved control over the combination of data by simplifying and centralizing the right to object (opt-out) and by allowing users to choose for which service their data are combined. Google should also adapt its tools used for the combination of data so that it remains limited to the authorized purposes, e.g. by differentiating the tools used for security and those used for advertising.
Google has also refused to provide retention periods for the personal data it processes.
The recommendations of the EU Data protection authorities have been sent to Google to allow the company to upgrade its Privacy Policy practices. This letter is individually signed by 27 European Data protection authorities for the first time and it is a significant step forward in the mobilization of European authorities.
Peter Fleischer, Google's global privacy counsel issued the following statement: "We have received the report and are reviewing it now. Our new privacy policy demonstrates our long-standing commitment to protecting our users' information and creating great products. We are confident that our privacy notices respect European law."
Online reports also suggest that the US Federal Trade Commission (FTC) is considering its own investigation into whether Google and others have complied with guidelines for the disclosure of information about how paid advertisements appear in search results and whether the rules should be updated.