The privacy commissioners have called on Google and any other organisation operating internationally to make sure that their services comply with the privacy laws in all the countries covered by a service.
The letter and the co-ordination it represents are unprecedented, according to Canadian privacy commissioner Jennifer Stoddart, who is behind the action. The privacy commissioners of the UK, France, Germany, Israel and New Zealand were amongst those who signed the letter, as well as the chairman of the Article 29 Working Party committee of EU privacy commissioners.
"We are increasingly concerned that, too often, the privacy rights of the world’s citizens are being forgotten as Google rolls out new technological applications," said the letter. "We were disturbed by your recent rollout of the Google Buzz social networking application, which betrayed a disappointing disregard for fundamental privacy norms and laws. Moreover, this was not the first time you have failed to take adequate account of privacy considerations when launching new services."
Google Buzz was the search giant's attempt earlier this year to emulate the success of social networking site Facebook. It automatically used contacts and details of its Gmail users in a way that could have exposed private information.
"In essence, you took Google Mail (Gmail), a private, one-to-one web-based e-mail service, and converted it into a social networking service, raising concern among users that their personal information was being disclosed," said the letter. "Users instantly recognized the threat to their privacy and the security of their personal information, and were understandably outraged."
"It is unacceptable to roll out a product that unilaterally renders personal information public, with the intention of repairing problems later as they arise," it said. "Privacy cannot be sidelined in the rush to introduce new technologies to online audiences around the world."
Stoddart said that companies must take more care before launching products to ensure that they protect users' privacy. "While we hear corporations such as Google pay lip service to privacy, we don’t always see this reflected in the launch of new products,” she said. "Data protection authorities representing over 375 million people in 10 countries are speaking with a common voice to remind these organizations that they must comply with the privacy laws of each country where they roll out online products and services.”
The privacy regulators outlined the steps that any organisation should take before launching a service that could affect people's privacy rights.
"[Organisations should be] collecting and processing only the minimum amount of personal information necessary to achieve the identified purpose of the product or service; providing clear and unambiguous information about how personal information will be used to allow users to provide informed consent; creating privacy-protective default settings; ensuring that privacy control settings are prominent and easy to use; ensuring that all personal data is adequately protected; and giving people simple procedures for deleting their accounts and honouring their requests in a timely way," the letter said.
It called on companies to consult with data protection officials if they were in doubt about the compliance of their services. It also asked Google for a response outlining how it will change the way that it launches products in the future.
Shortly after the outcry over Buzz, Google changed the way the system worked and no longer automatically linked people in Buzz who had communicated through Gmail.
"We quickly realized that we didn't get everything quite right," said Gmail and Buzz product manager Todd Jackson in a blog post soon after the launch. "We're very sorry for the concern we've caused and have been working hard ever since to improve things based on your feedback. We'll continue to do so."