Out-Law News 3 min. read

Google asked to clarify privacy policy issues in ongoing EU laws compliance investigation

Google has been asked to answer 69 questions relating to the implementation of its new privacy policy by a watchdog investigating its compliance with EU data protection laws on behalf of all EU data protection authorities.

The company has been asked to provide the French data protection authority - Commission Nationale de l'Information et des Liberties (CNIL) – with "the complete list of Google’s processings and services covered by the new privacy policy" and whether each processing activity relates to specific Google services.

CNIL was nominated by the EU's other data protection watchdogs to investigate new Google policies on behalf of all the authorities.

CNIL has also asked Google to inform it about its use, if any, of facial recognition software, and has also asked it to explain its use of 'cookies' and how personal data is used to offer personalised content.

Answers are also sought to a number of other questions, including about the company's storage of identifying information, how it combines data gathered across services as well as whether individuals have access to a "one step centralized process" that would enable them to "fully opt-out [from] or oppose" the combination of data collected across different Google services.

Since 1 March Google has been operating with one single all-encompassing privacy policy covering the collection of personal data across all its services. The internet giant decided to press ahead with the amalgamation of its numerous previously-existing policies into one despite the French data protection authority claiming that the single policy did not comply with EU laws following an initial assessment.

CNIL is leading an investigation into the policy on behalf of EU privacy watchdog the Article 29 Working Party and previously announced its intention to send a questionnaire to Google as part of its inquiries.

In a letter (12-page / 1.39MB PDF) dated 16 March sent o Google chief executive Larry Page, CNIL's president said she "deeply regrets" that the company decided to implement the changes in spite of its concerns. Isabelle Falque-Pierrotin said she appreciated Google's offer to meet with the Article 29 Working Party to discuss the watchdog's concerns but said such a meeting would be "premature" until Google filed responses to the questionnaire.

"It is necessary that we receive written responses to our questionnaire before we can reconsider this request," she said.

Falque-Pierrotin has asked Google to send its questionnaire responses back by 5 April and said its responses would be "treated confidentially" unless the company "explicitly" said they could be published.

In its "preliminary analysis" of the new privacy policy last month, CNIL said the terms of Google's policy were too difficult to understand. The watchdog also raised questions about what the company would actually do with data it collects.

Because Google's services "differ greatly" in terms of the purposes and types of data processing, Google's new singular policy providing "only general information" is insufficiently detailed to tell users everything them need to know, Falque-Pierrotin said at the time.

Google has said that the changes represent a simpler and easier to understand explanation of how it uses user data and enables it to offer more personalised services to those individuals.

However, earlier this month deputy Information Commissioner and head of data protect ion in the UK David Smith said that the new policy, which covers around 60 separate services, did not give users enough information to control the use of their data.

The EU's Data Protection Directive lays out a framework of rules that organisations must follow to ensure they use personal data appropriately. EU member states introduced national legislation to implement the Directive. The rules are set out for UK organisations in the Data Protection Act.

Under the Directive personal data must be processed fairly and lawfully, collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. Generally, organisations are required to obtain individuals' unambiguous consent in order to legitimately process their personal data.

Separate EU legislation – the Privacy and Electronic Communications Directive (ePrivacy Directive) – sets out the rules for organisations to obtain consent for cookies. Cookies are small text files that websites store on users' computers. The files contain information about users' online activity.

Under the e-Privacy Directive storing and accessing information on users' computers is only lawful "on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information … about the purposes of the processing". Consent must be "freely given, specific and informed". An exception exists where the cookie is "strictly necessary" for the provision of a service "explicitly requested" by the user – so cookies can take a user from a product page to a checkout without the need for consent, for example.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.