According to Reuters, Google was given formal privacy recommendations this week in response to its consolidated privacy policy, which allows Google to combine data it captures across its various services. Europe has long objected to Google’s unified privacy policy because regulators contend it’s too vague and gives Google too much discretion over use of personal data.
Google was presented with a draft of these guidelines in July. Google maintains its consolidated privacy policy complies with European law and has repeatedly declined to make changes in response to individual European government regulatory requests.
Issued by the pan-European Article 29 Working Group, the guidelines don’t have the force of law. They stand, however, as forceful suggestions to bring Google into compliance with European data protection laws. Individual governments would later enforce the alleged privacy violations, as France has done with its 150,000 EUR (roughly $190,000) fine earlier this year.
A letter from the Article 29 Group, sent this week to Google CEO Larry Page, makes clear that Europe is firm in its position that Google make privacy policy changes:
Google must meet its obligations with respect to the European and national data protection legal frameworks and has to determine the means to achieve these legal requirements. In order to guide Google in this compliance effort, the Article 29 Working Party has developed guidelines containing a common list of measures that your company could implement. A draft version was presented to representatives of Google on 2 July 2014, at a meeting in Paris in presence of five European Data protection authorities.
In issuing its fine, the French privacy authority, the National Commission for Computing and Civil Liberties, spelled out what it thought was specifically wrong with Google’s privacy policy:
The company does not sufficiently inform its users of the conditions in which their personal data are processed, nor of the purposes of this processing. They may therefore neither understand the purposes for which their data are collected, which are not specific as the law requires, nor the ambit of the data collected through the different services concerned. Consequently, they are not able to exercise their rights, in particular their right of access, objection or deletion.
The company does not comply with its obligation to obtain user consent prior to the storage of cookies on their terminals.
It fails to define retention periods applicable to the data which it processes.
Finally, it permits itself to combine all the data it collects about its users across all of its services without any legal basis.
Below is the letter that includes the specific measures that Europe would like Google to adopt. They represent some significant changes to how Google does business. For example, Google would have to gain users’ consent for Google Analytics data to be passed to publishers and provide an option “for users to disable Google analytics on a temporary or permanent site basis.”
It’s very likely that Google will offer to comply with some but not all the recommendations and try to negotiate a “settlement” accordingly. However the history of this dispute may suggest that no voluntary arrangement can be negotiated. The fines, even in the EU aggregate, that privacy regulators can impose are modest compared with Google’s global revenues.
Comments