On Jan. 24, 2012, Google announced it would be updating its privacy policies for almost all of its services by combining them into one privacy notice. Google saw this as an appropriate way to streamline the information it provides to users and to allow the sharing of the information between its products, which include services such as Gmail, Google+, YouTube and its search engine.
Google believed this change would benefit users with a more tailored and relevant Google experience based on the user’s data and activities across Google’s product range. The company presumably viewed the main benefit of this change as its ability to combine and more effectively monetize the vast amounts of data it holds.
The Article 29 Working Party (an advisory body that represents data protection authorities in the EU) expressed concerns about Google’s compliance with EU privacy laws and mandated the CNIL (Commission nationale de l'informatique et des libertés – the French data protection authority) to lead an investigation into Google's new policy.
By the EU authorities selecting one of their toughest regulators to lead this investigation, they have sent a clear signal that they are prepared to take a strong and united approach on privacy issues that affect EU citizens. The investigation by a single authority on behalf of all the EU regulators is unprecedented and likely to signal a change in the way that regulators cooperate in response to providers of Internet or technology-based services that have a significant and multi-jurisdictional presence in the EU.
On Oct. 16, 2012, the CNIL and the Article 29 Working Party publicly released their investigation report. The report findings have been endorsed by all 27 EU Member State data protection authorities.
Throughout the investigation and since the time the findings were announced, Google has maintained its practices are consistent with EU privacy law and are similar to other large U.S.-origin Internet companies.
The EU data protection authorities do not agree.
In particular, the report finds that Google does not provide sufficient information to Google users about the personal data it collects and how such data is used; questions whether personal data is only used for the purposes stated in the policy; raises concerns about whether Google implements minimization and proportionality principles in respect of the type and volume of personal data it collects; and states certain uses and combinations of personal data from across its services do not have appropriate legal grounds to take place.
Regulators have stopped short of any formal action or sanctions and have adopted a more conciliatory approach. That approach is likely to harden if Google is unwilling to satisfactorily address the concerns of the regulators.
Even though the report’s findings are targeted at Google, reviewing them is a useful exercise for organizations that have a significant EU user base, as they provide insight into EU data protection authorities’ views on data privacy policies and practices. While the report contains some suggestions that will be difficult to implement (even for companies with the resources of Google), some key issues of general application for businesses to consider can be summarized as follows:
Companies should not develop privacy notices that are too complex, law-oriented or excessively long; however, this should not mean that companies should not explain clearly what data they are collecting and how it is used.
If possible, interactive features that aid navigation and understanding should be used.
Additional and precise information should be provided about the use of any data that has a significant impact on the privacy of users, e.g., location data, credit card data, unique device identifiers and biometrics.
Privacy policies and practices should be amended for mobile users so that they are appropriate for smaller screens and the mobile environment.
The data protection authorities clearly have concerns about the privacy risks of combining personal data on such a large scale which has been collected across multiple services and products. In some instances, the only way this will be possible is with the explicit consent of the individuals who are identified by the combined data.
Where individuals have the right to opt out of certain uses of their personal data, e.g., in respect of marketing or when closing their account, these opt-outs should be made simple and easy to access.
Steps must also be taken to implement the European ePrivacy Directive in respect of seeking consent for cookie use and providing information about them.
For everyone else, now is a good opportunity to watch and learn, and to consider what steps they can take to ensure their own privacy approaches stand up to regulatory scrutiny.
Notably, the U.S. Federal Trade Commission has officially declined to endorse the EU report, as reported on Tuesday by the Washington Post. The FTC’s decision may have been complicated by the comprehensive 20-year privacy consent decree the agency signed just last year with Google in connection with the Google Buzz social-networking service. The FTC’s stance demonstrates the complexities of implementing a global data privacy strategy where regulators take different approaches.