On Oct. 16, European Union data protection authorities issued a letter to Google CEO Larry Page calling upon the search engine giant to revisit its privacy policy. Earlier this year, the policy was unified into one policy covering a wide range of different Google services and integrating data from Google search history and YouTube accounts. When Google first unveiled its new privacy policy, European regulators greeted it with skepticism and requested Google to delay instituting the revised policy. Google refused. The letter followed a months-long exchange between Google and EU privacy regulators, stemming from a formal investigation as to whether Google’s new privacy policy adheres to EU privacy regulations.
The French Data Protection Authority (CNIL), known to be one of the most assiduous data protection authorities in Europe, was designated by an EU committee to lead the investigation. The timing of the letter is significant: Next week, data protection commissioners from across the globe will congregate in Punta del Este, Uruguay for an annual convention on international privacy standards and emerging issues in the field of data protection.
The group of 27 data protection authorities, who submitted the letter under the banner of the Article 29 Data Protection Working Party, asked Google to revise its privacy practices in two key areas. They called for more transparency on the collection and use of individuals’ personal data, and changes to the newly implemented policy of combining user data across a range of Google services. On the transparency front, the EU data protection authorities are asking Google to provide clearer and more comprehensive information about what data it is collecting and how that information is being used. The commissioners suggest using “interactive presentations” to help get the message across.
The authorities also charged that Google failed to give European users control over the combination of data from across its numerous platforms, such as web searches, Blogger, YouTube or Gmail. To remedy this, the authorities are asking Google to give users the opportunity to choose when their data will be combined, and to “reinforce users’ consent” to have data about them rolled together from multiple accounts. The commissioners also asked Google to simplify users’ right to opt out of having data about them combined across multiple services.
Two EU privacy laws – the Data Protection Directive 95/46/EC and the ePrivacy Directive 2002/58/EC – are referenced near the top of the privacy regulators’ letter. While the letter does not come out and accuse the company of running afoul of these regulations, it does note that “the [Google] Privacy policy suggests the absence of any limit concerning the scope of the collection and the potential uses of the personal data. We challenge you to commit publicly to these principles.”
According to Google, the letter stems from a fundamental disagreement in which data protection authorities view Google’s many services as different silos warranting separate privacy protections, whereas Google’s new privacy policy positions it as a single product with many services offered under the same umbrella. The company’s public assertion – appearing in numerous media reports – is that its privacy policy is in full compliance with EU law.
But not everyone interprets the letter the same way. Privacy expert Simon Davies, writing in a blog post analyzing the EU move, characterized it as a first step toward litigation rather than a mere request:
“The reality is that the letter is an iron fist in a velvet glove. Although camouflaged with words such as “challenge” and “request” the letter clearly opens the litigation terrain to national regulators who will be doing more than “requesting”. Article 29 has created an evidence-based foundation for all regulators to commence legal proceedings.”
Google’s stated purpose for introducing data combination is to improve its services, advertising, and analytics. When the privacy policy was first announced, EFF published a detailed analysis explaining what actually changed in the policy and a how-to guide for users who wanted to prevent their Web History (Google searches and sites visited) from being used to customize other Google products.
While there are a range of opinions on Google’s policy change, it’s clear to us that Google should not create European-specific products apart from their global services. Right now, the strong privacy laws in Europe benefit people all over the world because international companies (like Google) are striving to reach the tough European standards. We see an example of this with data portability, in which companies like Twitter and Google are increasingly providing users with simple ways to access the entire user dossier the company has compiled on them. This concept, which stems in part from data access rights under European privacy law, is increasingly being made available both to users in Europe and, in ripple effect, to people around the world.
So while we encourage the European regulators and Google to continue moving forward in productive conversations, we also remind both Google and European regulators that resolving this disagreement by balkanizing Google’s services won’t benefit users or innovation.