Google Privacy Policy Must Change Says EU
October 16, 2012

EU Warns New Google Privacy Policy Must Change

Enid Burns for — Your Universe Online

The European Union is expected to tell Google on Tuesday that it must unravel its current privacy policy to conform to new standards set for EU countries. The French data protection commissioner issued the formal mandate at a press conference today. Google will have a limited amount of time to put through the changes or else face hefty fines.

The EU Data Protection authorities have spent the past several months reviewing Google's privacy policy, which went into effect on March 1. This is the revision to the privacy policy that merged all of Google's policies from properties such as the search engine, YouTube, Google+ and Android phones into one all-encompassing policy.

"The new policy merges many product-specific privacy policies and generalizes the combination of data across services," says a letter from CNIL addressed to Google CEO Larry Page.

The CNIL is acting on behalf of the European Union and a handful of surrounding countries outside the EU. The letter obtained signatures from representatives of countries including France, the Netherlands, Austria, Belgium, Bulgaria, the Czech Republic, Germany, Denmark, Estonia, Greece, Spain, Finland, Ireland, Italy, Hungary, Cyprus, Lithuania, Luxembourg, Malta, Poland, Portugal, Sweden, Slovenia, Slovakia and the United Kingdom. The letter also had signatures from Liechtenstein, a member of the European Free Trade Association, and EU candidate country Croatia. Notable EU countries that did not sign included Latvia, Hungary and Romania.

In the time since Google implemented the privacy changes, the CNIL has been under an Article 29 Working Party mandate to conduct an investigation. The group sent Google two questionnaires and stated that when answered, "several answers were incomplete or approximate. In particular, Google did not provide satisfactory answers on key issues such as the description of its personal data processing operations or the precise list of the 60+ product-specific privacy policies that have been merged in the new policy."

The committee brought up several issues in its statement, the letter to Google and a 15-page document of recommendations made to Google on its privacy policy, all dated October 16, 2012.

One main issue the CNIL and its supporters have with the Google privacy policy is they claim that it doesn't distinguish between different pieces of data it collects, which the committee believes could expose consumers to security issues.

"The Privacy Policy makes no difference in terms of processing between the innocuous content of search query and the credit card number or the telephone communications of the user; all these data can be used equally for all the purposes in the Policy," the statement says.

While many users and even privacy groups complain the end-user license agreement (EULA) for particular websites and properties are too long, the commission warns against over-shortening.

"EU Data protection authorities remind Google and internet companies in general that shorter privacy notices do not justify a reduction of information delivered to the data subjects," the CNIL statement warns.

While the CNIL is calling their assertions "recommendations" and "requests," the organization stated Google may face fines if these recommendations are not followed.

The CNIL's letter to Google outlines a number of specific changes it would like to see.

"Google should take action to clarify the purposes and means of the combination of data. In the perspective, Google should detail more clearly how data is combined across its services and develop new tools to give users more control over their personal data," the letter states.

Several specific recommendations include the implementation of controls. Examples include simplified opt-out mechanisms for authenticated and non-authenticated users, available in one place; differentiated purposes of the combination of data with appropriate tools; collection of explicit consent for the combination of data for certain purposes; offering the possibility for authenticated users to control services they are logged into; limiting the combination of data for passive users; implementation of Article 5 of the European ePrivacy Directive; and an extension to all countries of the  process designed for Google Analytics in Germany.

The CNIL states  its goal is to have Google "strengthen users' trust and control, and to ensure compliance with data protection legislation and principles.”