Out-Law News 4 min. read

Google committed to privacy policy changes despite regulatory claims of non-compliance with EU laws


Google will introduce changes to its privacy policies as planned today despite a regulator in France claiming that the policy breaches EU data protection laws.

From today the internet giant plans to operate with one single all-encompassing privacy policy covering the collection of personal data across all its services. However, earlier this week the head of the French data protection authority called on Google to postpone the imminent changes after claiming "preliminary analysis" had shown the single policy did not comply with EU law.

Google said it would introduce the new policy as planned. "To pause now would cause a great deal of confusion for users," Peter Fleischer, Google privacy lawyer said, according to media reports. "We have given well over a month for our users to read and understand the privacy policy changes, and have provided extensive information on these changes for our users.

In a letter (2-page / 704KB PDF) to Google chief executive Larry Page dated 27 February, the president of Commission Nationale de l’information et des Liberties (CNIL) said that the terms of Google's policy were too difficult to understand. She also raised questions about what the company would actually do with data it collects.

"Rather than promoting transparency, the terms of the new policy and the fact that Google claims publicly that it will combine data across services raises fears about Google's actual practices," Isabelle Falque-Pierrotin said in her letter.

"Our preliminary investigation shows that it is extremely difficult to know exactly which data is combined between which services for which purposes, even for trained privacy professionals. In addition, Google is using cookies (among other tools) for these combinations and in this regard, it is not clear how Google aims to comply with the principle of consent laid down in [the EU's Privacy and Electronic Communications Directive], when applicable," she said

Because Google's services "differ greatly" in terms of the purposes and types of data processing, Google's new singular policy providing "only general information" is insufficiently detailed to tell users everything them need to know, Falque-Pierrotin said.

"It is impossible for average users who read the new policy to distinguish which purposes, collected data, recipients or access rights are currently relevant to their use of a particular Google service. The fact that Google informs users about what it will not do with the data (such as sharing personal data with advertisers) is not sufficient to provide comprehensive information either," she said.

"The CNIL and the EU data protection authorities are deeply concerned about the combination of personal data across services: they have strong doubts about the lawfulness and fairness of such processing, and its compliance with European Data Protection legislation, especially with articles 6 and 7 of the Data Protection Directive," she said.

Google should "pause" from introducing its privacy policy update until CNIL can completely analyse the policy. CNIL will send Google a "full questionnaire" about the policy "as well as other related aspects of Google's data processing activities" by the middle of March, Falque-Pierrotin said.

The CNIL president said that it was a "regret" that Google had not consulted properly with EU data protection authorities about its new policy prior to announcing the planned policy changes on 24 January. Google has previously insisted that it had informed the authorities about its intentions - and that no objections had been raised - before announcing them publicly.

"Contrary to public statements by Google ... not all authorities were informed, and those that were informed only heard about the changes a few days before the announcement. They saw the contents of the new privacy policy at best a few hours before its public release, without any opportunity to provide any constructive feedback," Falque-Pierrotin said.

"Google should supplement existing information with service and purpose specific information," she said.

The EU's Data Protection Directive lays out a framework of rules that organisations must follow to ensure they use personal data appropriately. EU member states introduced national legislation to implement the Directive. The rules are set out for UK organisations in the Data Protection Act.

Under the Directive personal data must be processed fairly and lawfully, collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. Generally, organisations are required to obtain individuals' unambiguous consent in order to legitimately process their personal data.

Separate EU legislation – the Privacy and Electronic Communications Directive (ePrivacy Directive) – sets out the rules for organisations to obtain consent for cookies. Cookies are small text files that websites store on users' computers. The files contain information about users' online activity.

Under the e-Privacy Directive storing and accessing information on users' computers is only lawful "on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information … about the purposes of the processing". Consent must be "freely given, specific and informed". An exception exists where the cookie is "strictly necessary" for the provision of a service "explicitly requested" by the user – so cookies can take a user from a product page to a checkout without the need for consent, for example.

CNIL had been tasked with reviewing Google's privacy policy changes by EU privacy watchdog the Article 29 Working Party. The group is comprised of representatives from the data protection watchdogs of the EU's 27 member states.

Earlier this week privacy campaign group Big Brother Watch called on the UK's data protection watchdog - the Information Commissioner's Office - to conduct its own investigation into the imminent privacy policy changes at Google.

Google has said that the changes would result in a simpler and easier to understand explanation of how it uses user data and enable it to offer more personalised services to those individuals.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.