European Union doesn’t like Google’s privacy policy, tells Google to change it or face litigation

Earlier this year Google introduced a new one-policy-for-them-all privacy policy for all Google services. Essentially the new privacy policy consolidated all the privacy policies across Google’s various services into one single privacy policy, which allowed Google to pool user data across its different services. The European Union has now ordered Google to revert back to the old, single privacy policies.

On behalf of the 27 members of the European Union, plus Croatia and Liechtenstein, French data privacy watchdog CNIL conducted an inquiry into Google’s new single privacy policy. As part of this inquiry, CNIL sent two questionnaires to Google asking about various aspects of how Google handles user data. According to CNIL, “several answers were incomplete or approximate” and “Google did not provide satisfactory answers on key issues such as the description of its personal data processing operations or the precise list of the 60+ product-specific privacy policies that have been merged in the new policy”.

Further, CNIL asserts “it is not possible to ascertain from the analysis that Google respects the key [EU] data protection principles of purpose limitation, data quality, data minimization, proportionality and right to object” and “the privacy policy suggests the absence of any limit concerning the scope of the collection and the potential uses of the personal data”.

In particular, CNIL has an issue with how the new privacy policy allows Google to consolidate user data from across Google’s various services without providing users with information on exactly what data is being collected, how that data is being used, and how long that data is kept by Google. CNIL also questions the “legal basis” of the new privacy policy.

While CNIL doesn’t out right call Google’s new privacy policy illegal, it does tell Google to make changes within “months” or the EU will “enter a phase of litigation”. More specifically, CNIL wants the following three changes:

  • A reversion back to Google’s one-privacy-policy-per-service as opposed to the current one-privacy-policy-for-all
  • Google attain better consent by users for the use of their data and provide a central opt-out tool
  • Fix Google’s data collection tools so collected data is only used for the purpose that which it was collected, e.g. data collected for improving the security of a service should only be used for that purpose, not advertising

Google has responded that it requires more time, than the “three to four months” it has been given, to provide an appropriate response to the EU.

It isn’t entirely clear what will happen going forward, but some are already predicting that this will cause a “domino effect” for Google. In other words, EU action against Google data collection and retention policies may trigger action against Google in other regions… namely the US. Let’s see what happens.

[via BBC, CNIL, Slate]

Related Posts

  • Akbar

    Iran already blocked access to Google and Gmail saving Persians from the satanic Google and its devilish offspring.

  • Mike

    Wow–a major challenge to Google and how it has determined to proceed, in a universal, cohesive manner. Given that, I can understand Google’s wanting more time to consider this; and, at the same time, the EU’s wanting changes to be made NOW, to protect its constituency in this important aspect of their lives.

  • clockmendergb

    I cannot see the USA wanting them to change back.
    If I was in to conspiracy theories which I am
    I would say that all that data is being sent through two identical servers(Just as ATT do it) one belonging to the department of homeland security.

    I could be wrong of course.