Google policy changes spark EU fears over risks to user privacy

16 Oct 2012

Google’s decision to consolidate more than 60 different privacy policies into a single workable policy to better target advertising and serve users has raised the ire of 24 of Europe’s 27 data protection regulators who have urged it to rethink its business model.

The 24 regulators have made 12 recommendations in a letter ahead of an official EU announcement today on the matter.

An investigation into Google’s new privacy policy was instigated by the Article 29 Working Party and led by the French data regulator CNIL.

A letter sent to Google by the regulators warns that combining data on such a vast scale after combining 60 different policies creates significant risks to the privacy of users.

It stopped short of declaring Google’s new policy illegal but has recommended clearer information for users, improved control over the combination of data across Google’s numerous services, which include YouTube and Gmail, and that Google modifies the tools it uses to avoid an excessive collection of data.

EU wants some satisfaction

“Given the numerous questions raised by these changes, the Article 29 Working Party mandated the CNIL to lead the investigation into Google’s new privacy policy. Two successive questionnaires were sent to Google. The company replied on April 20 and June 21, but several answers were incomplete or approximate.

“In particular, Google did not provide satisfactory answers on key issues such as the description of its personal data processing operations or the precise list of the 60+ product-specific privacy policies that have been merged in the new policy.

“The analysis of Google’s answers and the examination of numerous documents and technical mechanisms by the CNIL’s experts have led EU data-protection authorities to draw their conclusions and make recommendations to Google.

“Firstly, it is not possible to ascertain from the analysis that Google respects the key data-protection principles of purpose limitation, data quality, data minimisation, proportionality and right to object. Indeed, the privacy policy suggests the absence of any limit concerning the scope of the collection and the potential uses of the personal data.

“The EU data-protection authorities challenge Google to commit publicly to these principles,” CNIL said.

Google’s global privacy counsel Peter Fleischer commented: “We have received the report and are reviewing it now.

“Our new privacy policy demonstrates our long-standing commitment to protecting our users’ information and creating great products. We are confident that our privacy notices respect European law.”

Privacy policy image via Shutterstock

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years

editorial@siliconrepublic.com