Earlier this year Google introduced a new one-policy-for-them-all privacy policy for all Google services. Essentially the new privacy policy consolidated all the privacy policies across Google’s various services into one single privacy policy, which allowed Google to pool user data across its different services. The European Union has now ordered Google to revert back to the old, single privacy policies.
On behalf of the 27 members of the European Union, plus Croatia and Liechtenstein, French data privacy watchdog CNIL conducted an inquiry into Google’s new single privacy policy. As part of this inquiry, CNIL sent two questionnaires to Google asking about various aspects of how Google handles user data. According to CNIL, “several answers were incomplete or approximate” and “Google did not provide satisfactory answers on key issues such as the description of its personal data processing operations or the precise list of the 60+ product-specific privacy policies that have been merged in the new policy”.
Further, CNIL asserts “it is not possible to ascertain from the analysis that Google respects the key [EU] data protection principles of purpose limitation, data quality, data minimization, proportionality and right to object” and “the privacy policy suggests the absence of any limit concerning the scope of the collection and the potential uses of the personal data”.
In particular, CNIL has an issue with how the new privacy policy allows Google to consolidate user data from across Google’s various services without providing users with information on exactly what data is being collected, how that data is being used, and how long that data is kept by Google. CNIL also questions the “legal basis” of the new privacy policy.
While CNIL doesn’t out right call Google’s new privacy policy illegal, it does tell Google to make changes within “months” or the EU will “enter a phase of litigation”. More specifically, CNIL wants the following three changes:
- A reversion back to Google’s one-privacy-policy-per-service as opposed to the current one-privacy-policy-for-all
- Google attain better consent by users for the use of their data and provide a central opt-out tool
- Fix Google’s data collection tools so collected data is only used for the purpose that which it was collected, e.g. data collected for improving the security of a service should only be used for that purpose, not advertising
Google has responded that it requires more time, than the “three to four months” it has been given, to provide an appropriate response to the EU.
It isn’t entirely clear what will happen going forward, but some are already predicting that this will cause a “domino effect” for Google. In other words, EU action against Google data collection and retention policies may trigger action against Google in other regions… namely the US. Let’s see what happens.