Google needs to improve its privacy practices

By EDRi · October 24, 2012

This article is also available in:
Deutsch: [Google muss seine Datenschutzpraxis verbessern |]

On 16 October 2012, a letter signed by the 27 European Data Protection
Authorities (DPAs) was sent to Google, asking for better privacy
practices of the company, accusing Google of illegality and putting into
question the viability of the company’s operations within the European
legal environment.

Following Google’s decision to update its privacy policy starting with 1
March 2012 by combining about 60 different policies for its online
services (search, Gmail, YouTube, Google+, and others ) into a single
user privacy agreement, Article 29 Working Party mandated the French DPA
(Commission Nationale de l’Informatique – CNIL) to lead an investigation
into the new Google privacy policy. CNIL sent two questionnaires to
Google but the company’s answers were considered incomplete and
approximate, especially on key issues such as the description of its
personal data processing operations or the precise list of the
product-specific privacy policies merged in the new policy.
Based on CNIL findings, Data Protection authorities have drawn their
common conclusions and made a series of recommendations.

One of the major point of criticism is that “….Google’s answers have
not demonstrated that your company endorses the key data protection
principles of purpose limitation, data quality, data minimization,
proportionality and right to object. Indeed, the Privacy policy suggests
the absence of any limit concerning the scope of the collection and the
potential uses of the personal data.” The EU DPAs ask Google to publicly
commit to these principles. They also recommend that the company
provides more clear information to its users on the data collected and
purposes of its personal data processing operations,
gives a better control over the combination of data across its numerous
services and modifies its tools so as to avoid excessive data collection.

One example given in CNIL’s findings is related to credit card
information: “Confidentiality rules do not make difference in treatment
between a trivial content search and the number of credit card or
telephone user. All these data can be used interchangeably for all the
purposes mentioned in rules.”

The DPAs recommend that Google reinforces the users’ consent to the
combination of data for the purposes of service improvements,
development of new services, advertising and analytics, by letting users
choose when their data are combined. Google should have a legal basis to
perform data combination of these purposes and data collection must also
remain proportionate to the purposes pursued. For the present, for some
of these purposes, the processing is not based on
consent, Google’s legitimate interests, or on the performance of a
contract. Moreover, Google refused to provide retention periods for the
personal data it processes.

Google was given three to four months to comply with the recommendations
or face sanctions.

Letter from 27 European DPAs to Google (16.10.2012)

Appendix – Google Privacy Policy – Main Findings and Recommendations

Google’s new privacy policy: incomplete information and uncontrolled
combination of data across services (16.10.2012)

European Data Regulators Slam Google Over Privacy Policy: “Too Large”
And Users Need More Control (But Not Illegal) (16.10.2012)

European Data Regulators Slam Google Over Privacy Policy: “Too Large” And Users Need More Control (But Not Illegal)

Europe to Google: respect our laws or face the consequences (16.10.2012)