Google has been ordered to change its new privacy policy by a group of European watchdogs, or face legal action.
European Union (EU) data protection agencies found the search engine does not comply with legislation following a nine-month investigation.
Google overhauled its privacy policy in March enabling it to better target its advertising by combining data from all of its services.
Users cannot opt out of the new process, which collects individuals' information across sites including YouTube, Gmail and its social network Google+.
But in a letter to the company's chief executive Larry Page, France's Commission Nationale de l'Informatique (CNIL), which led the investigation, said the company's policy raises "numerous questions" about data protection.
"Google provides insufficient information to its users (including impassive users), especially on the purposes and the categories of data being processed," the letter said.
"The investigation confirmed our concerns about the combination of data across services.
"We expect that Google takes the necessary steps to improve information and clarify the combination of data, and more generally ensure compliance with data protection laws and principles."
The group stopped short of saying Google's data gathering practices are illegal, but identified 12 measures that must be put in place to satisfy their concerns.
These include changing the way people are told about how their personal information and browsing records will be used - especially location information and credit card data.
The regulators also want Google to spell out its intentions for combining the data, asking users for explicit consent.
"Google has a few months, three or four months, to comply. If it takes no action, we will enter a phase of litigation,"
CNIL's president said.
In response, Peter Fleischer, Google's global privacy counsel, said: "We have received the report and are reviewing it now.
"Our new privacy policy demonstrates our long-standing commitment to protecting our users' information and creating great products. We are confident that our privacy notices respect European law."
[spoiler]Privacy Concerns: Letter To Google
Updated: 11:25am UK, Tuesday 16 October 2012
The letter from France's Commission Nationale de l'Informatique to Google's chief executive Larry Page.
Dear Mr Page,
On March 1, 2012 Google changed the privacy policy and terms of service that apply to most of its services.
This new policy merges many product-specific privacy policies and generalizes combination of data across services.
We recognize that Google launched an extensive advertising campaign to inform its users about the new Privacy Policy, using various information tools (emails, pop-ups, etc.).
However, the changes in the new Privacy Policy have been decided without substantial discussions with data protection regulators and have raised numerous questions about Google's processing operations.
The EU Data Protection Authorities, united within the Article 29 Working Party, launched an in-depth investigation to assess the compliance of Google's new Privacy Policy with the European Data Protection legislation, notably the Data Protection Directive 95/46/EC and the ePrivacy Directive 2002/58/EC.
The Working Party asked the French Data Protection Authority (CNIL) to take the lead in this analysis.
Google collaborated with the Working Party's investigation by answering two questionnaires sent by the CNIL on March 19 and May 22.
Other data protection and privacy authorities around the world, like the Asia Pacific Privacy Authorities, also conducted inquiries.
Google explained that many of its privacy-related practices do not differ from other U.S. internet companies.
We examine the practices of other companies operating in this sector, if needed be publicly.
As a leader in the online world, we expect Google to proactively engage on privacy matters in close relationship with the competent authorities of the countries where your company offers its services.
The wide variety of processing operations implemented by Google requires a strong and enduring commitment to ensure that Google's development is not made at the expenses of your users' privacy.
Therefore, we are happy that Google accepted to clarify some issues, although grey areas still remain after analyzing your answers to the two questionnaires.
In particular, Google's answers have not demonstrated that your company endorses the key data protection principles of purpose limitation, data quality, data minimization,
proportionality and right to object. Indeed, the Privacy policy suggests the absence of any limit concerning the scope of the collection and the potential uses of the personal data. We challenge you to commit publicly to these principles.
Additionally, the investigation unveiled several legal issues with the new privacy policy and the combination of data.
Firstly, the investigation showed that Google provides insufficient information to its users (including passive users), especially on the purposes and the categories of data being processed.
As a result, a Google user is unable to determine which categories of data are processed in the service he uses, and for which purpose these data are processed.
Internet companies should not develop privacy notices that are too complex, law-oriented or excessively long.
However, the search for simplicity should not lead internet companies to avoid the respect of their duties.
We require from all large and global companies that they detail and differentiate their processing operations.
Secondly, the investigation confirmed our concerns about the combination of data across services.
The new Privacy Policy allows Google to combine almost any data from any services for any purposes.
Combination of data, like any other processing of personal data, requires an appropriate legal ground and should not be incompatible with the purpose for which these data were collected.
For some of the purposes related to the combination of data and which are further elaborated in the appendix, Google does not collect the unambiguous consent of the user, the protection of the individual's fundamental rights and freedoms overrides Google's legitimate interests to collect such a large database, and no contract justifies this large combination of data.
Google empowers itself to collect vast amounts of personal data about internet users, but Google has not demonstrated that this collection was proportionate to the purposes for which they are processed.
Moreover, Google did not set any limits to the combination of data nor provide clear and comprehensive tools allowing its users to control it. Combining personal data on such a large scale creates high risks to the privacy of users.
Therefore, Google should modify its practices when combining data across services for these purposes.
Other purposes are legitimate or based on consent, such as the provision of a service where the user requests the combination of data across services (e.g. access to the contacts in Calendar), security or academic research, even if improvements should be made with regard to the information provided.
Finally, Google failed to provide retention periods for the personal data it processes.
As data protection regulators, we expect that Google takes the necessary steps to improve information and clarify the combination of data, and more generally ensure compliance with data protection laws and principles. To that end, we list below our practical recommendations.
You will also find a summary of the findings of the investigation and detailed recommendations in the appendix.
Regarding information, Google should disclose and detail how it processes personal data in each service and differentiate the purposes for each service and each category of data. In practice, Google could:
- Define an architecture of layered privacy notices with three levels: (1st level) in-product privacy notices and interstitial notices, (2nd level) the current privacy policy in an updated version, (3rd level) product-specific information;
- Develop interactive presentations that allow users to navigate easily through the content of the policies;
- Provide additional and precise information about data that have a significant impact on users (location, credit card data, unique device identifiers, telephony, biometrics)
- Adapt information to mobile users;
- Ensure that passive users are appropriately informed.
The implementation of these recommendations would ensure comprehensive, non-invasive and clear information for the data subjects.
Regarding combination of data, Google should take action to clarify the purposes and means of the combination of data. In that perspective, Google should detail more clearly how data is combined across its services and develop new tools to give users more control over their personal data.
This could be done by implementing the following controls (detailed in appendix):
- Simplify opt-out mechanisms for authenticated and non-authenticated users, and make them available in one place;
- Differentiate the purposes of the combination of data with appropriate tools;
- Collect explicit consent for the combination of data for certain purposes;
- Offer the possibility for authenticated users to control in which service they are logged in;
- Limit the combination of data for passive users;
- Implement Article 5(3) of the European ePrivacy Directive;
- Extend to all countries the process designed for Google Analytics in Germany.
We recognize Google's key role in the online world. Our recommendations do not seek to limit the company's ability to innovate and improve its products, but rather to strengthen users' trust and control, and to ensure compliance with data protection legislations and principles.
Finally, we encourage you to engage with data protection authorities when developing services with significant implications for privacy.
We would like you to send a response to the CNIL indicating how and within what timeframe Google will update its privacy policy and practices to implement our recommendations.
Yours sincerely,
Isabelle FALQUE-PIERROTIN (FR)
Jacob KOHNSTAMM (Chairman Article 29 Working Party + NL)
Eva SOUHRADA-KIRCHMAYER (AT)
Peter SCHAAR (DE)
José Luis RODRÍGUEZ ÁLVAREZ (ES)
Reijo AARNIO (FI)
Billy HAWKES (IE)
Antonello SORO (IT)
Yiannos DANIELIDES (CY)
Göran GRÄSLUND (SE)
Natasa PIRC MUSAR (SI)
Eleonóra KROČIANOVÁ (SK)[/spoiler]