Out-Law / Your Daily Need-To-Know

Future of EU regulation of data protection previewed in Google privacy policy investigation, says expert

Out-Law News | 16 Oct 2012 | 5:18 pm | 4 min. read

The way that authorities from across the EU combined to investigate and lay out concerns with Google's all-encompassing single privacy policy signifies a "new era" in data protection law enforcement, an expert has said.

On Tuesday the French data protection authority, the Commission Nationale de l'Information et des Liberties (CNIL), published a letter (5-page / 672KB PDF) it has sent to Google chief executive Larry Page on behalf of members of the Article 29 Working Party that outlines concerns with the internet giant's privacy policy.

In addition CNIL published a document containing recommendations (9-page / 437KB PDF) it said Google should adopt to remedy the concerns expressed by it and the other privacy watchdogs.

Google faces a "phase of litigation" if it does not take action to implement the recommendations with the next "three or four months," CNIL president Isabelle Flaque-Pierrotin warned, according to a report by the Daily Telegraph.

The Article 29 Working Party is a committee made up of representatives from the data protection authorities based in the EU's 27 member states.

CNIL had been tasked by the Working Party to conduct an investigation into Google's privacy policy. In March Google replaced over 60 privacy policies for services such as YouTube and Gmail, with one single policy covering the collection of personal data across all its services.

CNIL said that Google does not have a "valid legal basis" to combine personal data it gathers about users from their use of more than one of its services for some purposes for which the information is collected.

It said Google should seek the consent of its users in order to combine their personal data collected from the various services it operates where users lack "direct knowledge" that their data will be combined. This includes where Google uses the combination of data collected to provide personalised search results, CNIL said.

In addition, consent of users is required in order for Google to legitimately combine personal data gathered from across services for advertising and analytics purposes or for the purpose of "marketing innovation and product development".

Google's privacy policy "gives incomplete or approximate information about the purposes and the categories of data collected", CNIL also said. It called on Google to provide users with clearer information about why it pools their personal data, and said that users ought to be given the chance to utilise "simple opt-outs" in circumstances where they have a "right to object" to the combination of their data. CNIL also raised further concerns about how long Google retains personal data.

However, Google has defended its privacy policy. It claimed that the policy "shows our continued commitment to protecting our users' data and creating quality products," according to the Daily Telegraph.

"We are confident that our privacy policies respect European law," Google said, according to the report.

Data protection law specialist Marc Dautlich of Pinsent Masons, the law firm behind Out-Law.com, said that CNIL's leading of the EU investigation was indicative of a new approach to enforcement which will become more prominent under planned reforms to the EU's data protection regime.

"The choice of CNIL to co-ordinate the European data protection authorities (DPAs) was in itself a sign of things to come," Dautlich said. "The logical choice would have been the Irish authority as Google's EU headquarters are established there. CNIL, though, is widely considered to take robust positions on privacy matters, more so than, say, the ICO in the UK."

"The European DPAs do not, by a long stretch, have equal powers to sanction, or resources to investigate, so co-ordinating across all 27 in this way is the beginning of a new era: combined pressure on Google is more effective than unilateral action, although the Germans have of course done the latter too, in relation to Google Analytics, referred to in the recommendations in the letter," he said.

"The characteristics of the new era are co-ordinated activity by DPAs and early publication of the chargesheet, compared with the old era – typically users protecting themselves by, for example, organising themselves on Facebook to reject features of OpenGraph introduced by Facebook or similar user-led actions," the expert added.

"Though CNIL’s action is limited to Google’s 1 March 2012 privacy policy changes, there is a much wider concern going on about Google – from Street View activities to its apparent circumvention of the default privacy settings on the Safari browser, resulting in the Federal Trade Commission fining them $22.5million in the US, but negligible coverage, or so far regulatory enforcement action in Europe. The question is will Google make the recommended changes or fight them?" Dautlich said.

"The irony is that the proposed EU General Data Protection Regulation, with its stiff requirements in relation to consent, including online, is actually likely, in the digital world, to benefit the larger, almost exclusively US, platform businesses such as social networks, search engines and email services," he added. "They are the parties with the scale and reach who are best placed to login users and obtain the quality of consent required under the proposed Regulation."

"Smaller players, which includes all the Europeans, typically offer services and content that users may feel more able to make more nuanced privacy choices about, and perhaps less pressure to accept as offered," Dautlich said.

Under the draft General Data Protection Regulation a new system whereby DPAs from across the EU could cooperate on regulatory activities would be established.

DPAs would have responsibility for regulating companies that have their "main establishment" in that country, but would also be required to provide one another with "mutual assistance" so as not to inconsistently apply the laws in different countries. If individuals in more than one member state were likely to be affected by decisions taken by one authority, other authorities in those countries would have the right to participate in joint operations. Only the authorities in countries where the organisations have their main establishment would take regulatory action, though, unless the authority confers power on a sister regulator in another state.

"The CNIL, all the authorities among the Working Party and data protection authorities from other regions of the world expect Google to take effective and public measures to comply quickly and commit itself to the implementation of these recommendations," CNIL said in a statement.