EU Privacy Regulators Zero-in on Google

When Google changed its privacy policy last year--integrating more than 60 separate policies into one giant `we can collect everything' statement--EU officals and many US privacy advocates argued that the company was actually weakening what little protections  users had when dealing with the online ad giant.  CDD asked the FTC to investigate Google's approach as "unfair and deceptive," since it was offered as a privacy enhancing approach--but its real goal, of course, was to enable Google to assemble even more bits about our digital (and ofline) lives that could be put for sale to advertisers. 
 
Today, EU privacy regulators--led by the French Data Protection Office CNIL--and joined by Canada and several Asia Pacific countries, told Google it had to fundamentally revise its approach to how it treats privacy (letter attached).  Speaking truth to digital power, the EU explained that Google had violated provisions of its data protection law and now had to make fundamental changes.  Google, they said, needed to be honest with users about what data was collected and why.  It has to provide greater layers of information, transparency and control to its EU users---including involving the use of "sensitive" information such as "location, credit card data, unique device identifiers...biometics," as well as with mobile phone use.  In its letter today, EU regulators Article 29 Working Party explained that: 
 
the investigation confirmed our concerns about the combination of data across services. The new Privacy Policy allows Google to combine almost any data from any services for any purposes.     Combination of data, like any other processing of personal data, requires an appropriate legal ground and should not be incompatible with the purpose for which these data were collected. For some of the purposes related to the combination of data and which are further elaborated in the appendix, Google does not collect the unambiguous consent of the user, the protection of the individual’s fundamental rights and freedoms overrides Google’s legitimate interests to collect such a large database, and no contract justifies this large combination of data. Google empowers itself to collect vast amounts of personal data about internet users, but Google has not demonstrated that this collection was proportionate to the purposes for which they are processed. Moreover, Google did not set any limits to the combination of data nor provide clear and comprehensive tools allowing its users to control it. Combining personal data on such a large scale creates high risks to the privacy of users. Therefore, Google should modify its practices when combining data across services for these purposes.
 
In this era of Big Data, citizens and consumers have become helpless fodder for a powerful data profiling and tracking apparatus that threatens our privacy.  Today's decision by the EU on Google is a much needed `truth to digital power' wake-up call.  We need principled regulators to rein in practices that may make money--but have too large a social and political cost.

AttachmentSize
20121016-letter_google-article_29-FINAL.pdf652.1 KB
GOOGLE_PRIVACY_POLICY-_RECOMMENDATIONS-FINAL-EN(1).pdf415.44 KB