Out Law |
In March Google replaced over 60 existing privacy policies, covering services such as YouTube and Gmail, with one single all-encompassing policy covering the collection of personal data across all its services.
Privacy campaigners had raised concerns about the plans when Google first detailed its intention to change its policy. In addition the Article 29 Working Party asked Google not to introduce the policy changes until the French data protection regulator could assess what it meant for the protection of individuals’ personal information on its behalf.
However, the internet giant decided to press ahead with the amalgamation of its numerous previously-existing policies into one despite the French data protection authority claiming that the single policy did not comply with EU laws following an initial assessment.
In a letter to Google chief executive Larry Page announcing the investigation, president of the Commission Nationale de l’Information et des Liberties (CNIL), Isabelle Flaque-Pierrotin, said that the company was not being clear enough about what it would actually do with the data it collects.
“Rather than promoting transparency, the terms of the new policy and the fact that Google claims publicly that it will combine data across services raises fears about Google’s actual practices,” she said. “Our preliminary investigation shows that it is extremely difficult to know exactly which data is combined between which services for which purposes, even for trained privacy professionals.”
In a follow-up in May CNIL said that it had reiterated concerns “regarding the combination of data across services” as well as “the purposes and the breadth of these combinations as well as their legal basis”. The regulator said that it wanted clarification from Google about the “actual effects” of the company’s “opt-out mechanisms and their validity as a means to exercise the right to oppose”.
At the time CNIL said that it would “present its report to the Article 29 Working Party” on the issue and that the Working Party would “define its position and the potential improvements Google should bring to this policy to comply with the European data protection framework”. It said Google would be sent “the conclusions of the analysis” before mid-July.
“The requirement under the UK Data Protection Act is for a company to tell people what it actually intends to do with their data, not just what it might do at some unspecified point in future. Being vague does not help in giving users effective control about how their information is shared – it’s their information at the end of the day,” he said.
Smith warned that the ICO could order the company to stop sharing information “in a way which hasn’t been properly explained” or that users had not consented to depending on the findings of an investigation by the French data protection authority.