After all the
saber rattling, commentary and anticipation yesterday there was an expectation that Google would be asked by European data protection authorities, led by the French privacy regulator CNIL, to “unravel” or roll back its unified privacy policy. There was also a strong suggestion that there might be fines imposed. Instead we essentially got a relatively polite request to make some modest changes to the privacy policy, mostly around disclosures to end users.
The coverage today of the CNIL letter to Larry Page (embedded below) is all over the map, with some outlets focused on hypothetical future drama and action that might be taken if Google makes no changes. For example the BBC quotes CNIL’s president Isabelle Falque-Pierrotin, saying that Google has “‘three or four months’ to make the revisions, otherwise ‘authorities in several countries can take action against Google.'”
Fundamentally, however, European data protection authorities did not claim that Google’s privacy policy violated any European law or rule. This is a major victory for Google and consistent with the prior statements by Google’s privacy counsel Peter Fleischer who has repeatedly asserted that Google’s privacy policy is in compliance with European laws.
The European authorities also express some confusion or mystification over what Google is doing with the data and want the company to be more clear with them and the public generally. In relatively plain English the following are central recommendations coming from CNIL and the other EU data protection authorities:
Commit publicly to privacy principles advocated by the EU data protection authorities
Tell users what data are being collected and how they’re being used
Give users the ability to consent or opt-out of Google’s uses of combined personal/behavioral data (in other words give users more control)
Identify the data retention periods of the combined data and comply with European data retention standards
Google has said it’s doing nothing different than other US based companies; however the Europeans haven’t looked closely at others save Facebook in other privacy contexts. Microsoft’s similar privacy policy may eventually come under scrutiny but hasn’t yet.
Google has said it’s studying the document and will continue to work cooperatively with European authorities. It’s quite possible, however, that Google won’t change anything significant and simply keep talking to the various European data protection authorities. There’s really no stick here compelling them to do much of anything given that there’s no finding of illegality.
The implication of some of the public statements made by CNIL president Isabelle Falque-Pierrotin in particular, however, is that Google has a limited window to “comply” with Europe’s request and if it fails to do so there might be subsequent action. For now CNIL has only asked for Google to give it some indication of how the company might address the concerns and recommendations expressed in the letter.
Postscript: After offering a relatively tepid rebuke to Google in the letter above, later remarks made by CNIL president Isabelle Falque-Pierrotin took a stronger line, asserting that Google needed to adopt some of the recommendations or face potential fines or other “disciplinary” action. As reported by Reuters:
CNIL president Isabelle Falque-Pierrotin said regulators were prepared to talk to Google, adding: “If Google does not conform in the allotted time, we will enter into the disciplinary phase”.Google can either negotiate with the regulators and change elements of its privacy policy or challenge their authority to impose changes in court. The data protection watchdogs that examined the privacy policy cannot rule on the legality of Google’s approach since they are not a court of law.Some national data protection regulators including those in Belgium, France and the Netherlands have, in the past, imposed fines on companies that have breached rules. Such sanctions cannot be imposed EU-wide.
Comments