October 16, 2012
Enid Burns for redOrbit.com — Your Universe Online
"The new policy merges many product-specific privacy policies and generalizes the combination of data across services," says a letter from CNIL addressed to Google CEO Larry Page.
The CNIL is acting on behalf of the European Union and a handful of surrounding countries outside the EU. The letter obtained signatures from representatives of countries including France, the Netherlands, Austria, Belgium, Bulgaria, the Czech Republic, Germany, Denmark, Estonia, Greece, Spain, Finland, Ireland, Italy, Hungary, Cyprus, Lithuania, Luxembourg, Malta, Poland, Portugal, Sweden, Slovenia, Slovakia and the United Kingdom. The letter also had signatures from Liechtenstein, a member of the European Free Trade Association, and EU candidate country Croatia. Notable EU countries that did not sign included Latvia, Hungary and Romania.
In the time since Google implemented the privacy changes, the CNIL has been under an Article 29 Working Party mandate to conduct an investigation. The group sent Google two questionnaires and stated that when answered, "several answers were incomplete or approximate. In particular, Google did not provide satisfactory answers on key issues such as the description of its personal data processing operations or the precise list of the 60+ product-specific privacy policies that have been merged in the new policy."
While many users and even privacy groups complain the end-user license agreement (EULA) for particular websites and properties are too long, the commission warns against over-shortening.
"EU Data protection authorities remind Google and internet companies in general that shorter privacy notices do not justify a reduction of information delivered to the data subjects," the CNIL statement warns.
While the CNIL is calling their assertions "recommendations" and "requests," the organization stated Google may face fines if these recommendations are not followed.
The CNIL's letter to Google outlines a number of specific changes it would like to see.
"Google should take action to clarify the purposes and means of the combination of data. In the perspective, Google should detail more clearly how data is combined across its services and develop new tools to give users more control over their personal data," the letter states.
Several specific recommendations include the implementation of controls. Examples include simplified opt-out mechanisms for authenticated and non-authenticated users, available in one place; differentiated purposes of the combination of data with appropriate tools; collection of explicit consent for the combination of data for certain purposes; offering the possibility for authenticated users to control services they are logged into; limiting the combination of data for passive users; implementation of Article 5 of the European ePrivacy Directive; and an extension to all countries of the process designed for Google Analytics in Germany.
The CNIL states its goal is to have Google "strengthen users' trust and control, and to ensure compliance with data protection legislation and principles.”