Location: The Couchsurfing Project >> We are upset that CS has become a for-profit corporation
Login for full access to Couchsurfing Groups. Not a member yet? Join our community!

EU Data Protection authorities publish their common findings on Google Privacy Policy
Posted October 16th, 2012 - 2:34 pm by from Paris, France (Permalink)
Google's new privacy policy : incomplete information and uncontrolled combination of data across services
16 October 2012

After several months of investigation led by the CNIL into
Google's new Privacy Policy that came into force on March 1, the EU Data
Protection authorities publish their common findings. They recommend
clearer information of the users and ask Google to offer the persons
improved control over the combination of data across its numerous
services. Finally, they wish that Google modifies the tools it uses to
avoid an excessive collection of data.

On January 24, Google announced that it would
be updating its privacy policy and terms of service for almost all of
its services on March 1, 2012.
Given the numerous questions raised by these
changes, the Article 29 Working Party mandated the CNIL to lead the
investigation into Google's new privacy policy. Two successive
questionnaires were sent to Google. The company replied on April 20 and
June 21, but several answers were incomplete or approximate. In
particular, Google did not provide satisfactory answers on key issues
such as the description of its personal data processing operations or
the precise list of the 60+ product-specific privacy policies that have
been merged in the new policy.

The analysis of Google's answers and the
examination of numerous documents and technical mechanisms by the CNIL's
experts have led EU Data protection authorities to draw their
conclusions and make recommendations to Google.

Firstly, it is not possible to ascertain from
the analysis that Google respects the key data protection principles of
purpose limitation, data quality, data minimization, proportionality and
right to object. Indeed, the Privacy policy suggests the absence of any
limit concerning the scope of the collection and the potential uses of
the personal data. The EU Data protection authorities challenge Google
to commit publicly to these principles.

Google provides insufficient information to its users on its personal
data processing operations:

Under the current Policy, a Google service's
user is unable to determine which categories of personal data are
processed for this service, and the exact purposes for which these data
are processed.
E.g.: the Privacy Policy makes no difference
in terms of processing between the innocuous content of search query and
the credit card number or the telephone communications of the user ;
all these data can be used equally for all the purposes in the Policy.
Moreover, passive users (i.e. those that
interact with some of Google's services like advertising or ‘+1' buttons
on third-party websites) have no information at all.
EU Data protection authorities remind Google
and internet companies in general that shorter privacy notices do not
justify a reduction of information delivered to the data subjects.

EU data protection authorities ask Google to provide clearer and more
comprehensive information about the collected data and purposes of each
of its personal data processing operations. For instance, EU Data
protection authorities recommend the implementation of a presentation
with three levels of detail to ensure that information complies with the
requirements laid down in the Directive and does not degrade the users'
experience. The ergonomics of the Policy could also be improved with
interactive presentations.

Google does not provide user control over the
combination of data across its numerous services

Combination of data across services
has been generalized with the new Privacy Policy: in practice, any
online activity related to Google (use of its services, of its system
Android or consultation of third-party websites using Google's services)
can be gathered and combined.
The European DPAs note that this combination
pursues different purposes such as the provision of a service requested
by the user, product development, security, advertising, the creation of
the Google account or academic research. The investigation also showed
that the combination of data is extremely broad in terms of scope and
age of the data.
E.g.: the mere consultation of a website
including a ‘+1' button is recorded and kept during at least 18 months
and can be associated with the uses of Google's services; data collected
with the DoubleClick cookie are associated to a identifying number
valid during 2 years and renewable.
European Data Protection legislation provides a
precise framework for personal data processing operations. Google must
have a legal basis to perform the combination of data of each of these
purposes and data collection must also remain proportionate to the
purposes pursued. However, for some of these purposes including
advertising, the processing does not rely on consent, on Google's
legitimate interests, nor on the performance of a contract.

Google should therefore modify its practices when combining data
across services for these purposes, including:

reinforce users' consent to the combination of data for the purposes of
service improvements, development of new services, advertising and
analytics. This could be realized by giving users the opportunity to
choose when their data are combined, for instance with dedicated buttons
in the services' (cf. button “Search Plus Your World”),

offer an improved control over the combination of data by simplifying
and centralizing the right to object (opt-out) and by allowing users to
choose for which service their data are combined

adapt the tools used by Google for the combination of data so that it
remains limited to the authorized purposes, e.g. by differentiating the
tools used for security and those used for advertising.

Google does not provide retention periods
Google refused to provide retention periods for the personal data it processes.

The recommendations of the EU Data protection authorities have been sent to Google
to allow the company to upgrade its Privacy Policy practices.
This letter is individually signed by 27 European Data protection
authorities for the first time and it is a significant step forward in
the mobilization of European authorities.

Several recommendations are also supported by members of APPA (Asia Pacific Privacy Authorities)
and Canada's federal Privacy Commissioner has had similar concerns about various Google activities.

The CNIL, all the authorities among the
Working Party and data protection authorities from other regions of the
world expect Google to take effective and public measures to comply
quickly and commit itself to the implementation of these