Google comes under fire (again) for collecting personal data

Out Law |

A committee of EU privacy watchdogs will state their concerns “within days” at the way Google is accumulating users’ personal data following the company’s switch to a new single privacy policy earlier this year, according to a report by a UK newspaper.

The Guardian said that “sources” revealed to it that the Article 29 Working Party, which is made up of the data protection watchdogs from the EU’s 27 member states, has determined that Google is in breach of “privacy laws” over its privacy policy changes.

In March Google replaced over 60 existing privacy policies, covering services such as YouTube and Gmail, with one single all-encompassing policy covering the collection of personal data across all its services.

Privacy campaigners had raised concerns about the plans when Google first detailed its intention to change its policy. In addition the Article 29 Working Party asked Google not to introduce the policy changes until the French data protection regulator could assess what it meant for the protection of individuals’ personal information on its behalf.

However, the internet giant decided to press ahead with the amalgamation of its numerous previously-existing policies into one despite the French data protection authority claiming that the single policy did not comply with EU laws following an initial assessment.

In a letter to Google chief executive Larry Page announcing the investigation, president of the Commission Nationale de l’Information et des Liberties (CNIL), Isabelle Flaque-Pierrotin, said that the company was not being clear enough about what it would actually do with the data it collects.

“Rather than promoting transparency, the terms of the new policy and the fact that Google claims publicly that it will combine data across services raises fears about Google’s actual practices,” she said. “Our preliminary investigation shows that it is extremely difficult to know exactly which data is combined between which services for which purposes, even for trained privacy professionals.”

In a follow-up in May CNIL said that it had reiterated concerns “regarding the combination of data across services” as well as “the purposes and the breadth of these combinations as well as their legal basis”. The regulator said that it wanted clarification from Google about the “actual effects” of the company’s “opt-out mechanisms and their validity as a means to exercise the right to oppose”.

At the time CNIL said that it would “present its report to the Article 29 Working Party” on the issue and that the Working Party would “define its position and the potential improvements Google should bring to this policy to comply with the European data protection framework”. It said Google would be sent “the conclusions of the analysis” before mid-July.

The Article 29 Working Party most recently met in Brussels on 25 and 26 September, although a summary of the meeting does not contain mention of any discussions on the subject of Google and its privacy policy changes.

The UK’s Information Commissioner’s Office (ICO) has separately outlined concerns with Google’s privacy policy changes. In March deputy Information Commissioner David Smith told the Guardian newspaper that the single privacy policy was insufficiently detailed to enable users of its services to control the use of their data.

“The requirement under the UK Data Protection Act is for a company to tell people what it actually intends to do with their data, not just what it might do at some unspecified point in future. Being vague does not help in giving users effective control about how their information is shared – it’s their information at the end of the day,” he said.

Smith warned that the ICO could order the company to stop sharing information “in a way which hasn’t been properly explained” or that users had not consented to depending on the findings of an investigation by the French data protection authority.

Google has previously defended the privacy policy changes, claiming that the new policy would present a simpler and easier to understand explanation of how it uses user data. It also said that the policy would enable it to offer more personalised services to those individuals.