Out-Law News 2 min. read
09 Mar 2012, 2:57 pm
In an interview with the Guardian newspaper, deputy Information Commissioner and head of data protection David Smith said that the new policy, which covers around 60 separate services, did not give users enough information to control the use of their data.
"The requirement under the UK Data Protection Act is for a company to tell people what it actually intends to do with their data, not just what it might do at some unspecified point in future. Being vague does not help in giving users effective control about how their information is shared - it's their information at the end of the day," he said.
He warned that the Information Commissioner could order the company to stop sharing information "in a way which hasn't been properly explained" or that users had not consented to depending on the findings of an investigation by the French data protection authority.
This month Google replaced over 60 existing privacy policies with one single all-encompassing policy covering the collection of personal data across all its services. However, the French regulator Commission Nationale de l'Information et des Liberties (CNIL), which is leading an investigation into the policy on behalf of EU privacy watchdog the Article 29 Working Party, has claimed that it does not comply with EU law.
In a letter (2-page / 704KB PDF) to Google chief executive Larry Page announcing the investigation, CNIL president Isabelle Flaque-Pierrotin said that the company was not being clear enough about what it would actually do with the data it collects."Rather than promoting transparency, the terms of the new policy and the fact that Google claims publicly that it will combine data across services raises fears about Google's actual practices. Our preliminary investigation shows that it is extremely difficult to know exactly which data is combined between which services for which purposes, even for trained privacy professionals," she said.
The EU's Data Protection Directive lays out a framework of rules that organisations must follow to ensure they use personal data appropriately. Under the Directive personal data must be processed fairly and lawfully, collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. Generally, organisations are required to obtain individuals' unambiguous consent in order to legitimately process their personal data. The Directive is implemented in the UK through the Data Protection Act.
Under draft new EU data protection laws published last month, which will supersede the Directive, individuals will be given a qualified 'right to be forgotten' that will generally enable them to force organisations to delete personal data stored about them "without delay". In the Guardian interview Smith said that this right should be extended to information indexed by search engines.
"Google can't just say I'm just a messenger, I have no responsibility at all for the messages I carry. Given their dominant role and their huge influence here they have a responsibility to ensure they operate in a fair and reasonable way," he said."Where things are drawn to their attention and it can be established they are delivering content which is defamatory, where it is harmful to individuals and there is no public interest justification Google have a responsibility not to serve up that information."
Peter Fleischer, Google's privacy lawyer, has previously said that although the company is supportive of the general right, search engines should only have to update search rankings and help facilitate faster deletion of content rather than delete the material themselves.
Meanwhile Brazil has become the latest country to set out its concerns with the policy. The country's Justice Ministry has written to Google asking for more information about how it will handle users' personal data under the new policy and has warned that it could launch an official investigation if the company does not provide a satisfactory response within 10 days.
In a statement, the Justice Ministry said it had asked Google whether users were consulted during the drafting of the new policy and what kind of authorisation is required from individual users, according to an automated translation.