European privacy authorities ask Google to tweak March policy change

But they set no firm deadline for making the changes, nor threatened firm action if it does not respond

European privacy authorities have asked Google to tweak the unified privacy policy it introduced on March 1, but have stopped short of asking it to undo all its changes. They set no firm deadline for Google to make the tweaks, and will leave it to national data protection authorities to decide whether to take regulatory or legal action.

Google should provide users with more information about its policies, stop combining information from different sources when it is not legally justified, and guarantee to delete personal data after set periods, the authorities told Google on Tuesday in a formal letter to CEO Larry Page signed by the members of the Article 29 Working Party (A29WP), which brings together data protection authorities from across the European Union.

In February, the authorities wrote to Google asking it to delay introduction of the policy, warning that it appeared to breach European privacy laws. Google refused, prompting the A29WP to ask the French National Commission on Computing and Liberty (CNIL) to conduct a full investigation.

"I regret that Google did not want to wait. It would have been much better otherwise for the privacy of hundreds of millions of users of Google's services," said Jacob Kohnstamm , chairman of the A29WP and also head of the Dutch data protection authority, at a news conference in Paris.

Google didn't cooperate fully with the investigation, said CNIL president Isabelle Falque-Pierrotin. Despite being sent detailed questionnaires about its policies, it replied with examples and not precise statements.

In the March policy changes, Google combined many different privacy policies in one, and said it may use information from many different sources to modify the behavior of any its services.

European privacy law allows such combination of data in certain cases, including where the user requests it, for security, for the provision of a Google account and for academic research.

However, there are four cases in which explicit consent is required from the service user, said Falque-Pierrotin, including product development, advertising and analytics. Google should seek that consent from its users before combining data to those ends, and also provide them with a way to opt out, Falque-Pierrotin said.

The company should also explain more clearly what data it stores, and for how long, she said.

The members of the A29WP only sent their letter to Page on Tuesday, but they had already presented their recommendations to Google on Sept. 19, she said.

Those recommendations include ensuring that it complies with Article 5(3) of the European ePrivacy Directive, the so-called Cookie Directive; rolling out to all countries the version of Google Analytics designed to meet German privacy laws, and simplifying opt-out procedures and making them all accessible from a single page.

Even for users not logged in to a Google service, there are four different places they must opt out of Google advertising data collection, said Gwendal Le Grand, head of CNIL's technical advisory team. "If you want to opt out today, it's very long and it's not easy to find how to do it.

Although the members of the A29WP set no firm deadline for Google to take action, Falque-Pierrotin said she expected Google to make a commitment to change its policy within three or four months. If it did not, then she expected that a number of national data protection authorities would take action.

The financial sanctions that Google faces are tiny. In a recent case involving the illegal collection of Wi-Fi data by Google's Street View cars, CNIL fined the company A!100,000 (US$129,000). Google reported a net profit of $2.79 billion for the second quarter, on revenue of $12.21 billion.

"It's not the size of the fine that's important," said Falque-Pierrotin. She is counting on the bad publicity that will result if Google does not change its ways.

The A29WP's action had also received the support of data protection authorities in other countries, including Australia, Canada, Mexico and Hong Kong.

Things are a little different in the U.S., said Kohnstamm: the Federal Trade Commission there is already taking its own action against Google.

However, he said, he expects the concerted action of all the other data protection authorities to send a clear message to Google -- and to other big Internet companies -- that they are serious in their demands, and that privacy protection is something on which companies can compete to win customers.

Peter Sayer covers open source software, European intellectual property legislation and general technology breaking news for IDG News Service. Send comments and news tips to Peter at peter_sayer@idg.com.

FREE Computerworld Insider Guide: IT Certification Study Tips
Join the discussion
Be the first to comment on this article. Our Commenting Policies