Friday, March 02, 2012

Google’s New Privacy Policy Questioned by U.S., Canadian, European Authorities

This posting was written by Thomas A. Long, Editor of CCH Privacy Law in Marketing.

Google’s new comprehensive privacy policy may not adequately protect consumers’ legal rights and interests, government officials and privacy regulators in the United States, Canada, and Europe have told the company in three separate letters.

According to Google, the policy—which took effect yesterday—is intended to streamline and simplify the privacy policies for its various services by consolidating them into a single policy.

The National Association of Attorneys General (NAAG) sent a letter to Google CEO Larry Page on February 22, signed by 36 attorneys general, declaring that Google’s new policy was “troubling” and “appears to invade consumer privacy.”

Canada’s Privacy Commissioner, Jennifer Stoddart, wrote to Google’s Global Public Policy Manager in Ottawa, seeking additional information about the policy, particularly with regard to the collection of information via Android mobile devices.

On February 27, the French data protection authority, CNIL, also wrote to Page, informing him that the European Union’s Article 29 Data Protection Working Party had invited CNIL to investigate on behalf of the EU member states’ data protection authorities.

State Attorneys General Express Concerns

NAAG expressed concern that the new policy allows for greater information sharing between Google’s products and services without providing consumers an “opt-in” option or meaningful “opt-out” options.

“Google’s new privacy policy is troubling for a number of reasons,” the letter said. “On a fundamental level, the policy appears to invade consumer privacy by automatically sharing personal information consumers input into one Google product with all Google products.”

According to NAAG, users of Google’s many products use them in different ways and expect that information they provide for one product, such as YouTube, would not be synthesized with information they provide for another product, such as Gmail or Google Maps. The new policy “forces” consumers to allow information across all of Google’s products to be shared without giving them the proper ability to opt out, the letter said.

The attorneys general requested to meet with Google “as soon as possible to work toward a solution that will best protect the privacy needs of those who use Google’s products.”

Full text of the letter is available here on NAAG’s website.

Canadian Privacy Commissioner Requests Information

According to Commissioner Stoddart, Google’s new consolidated policy lacked specific provisions relating to data retention and disposal, such as specific deadlines for the deletion of personal information following a user’s request.

“We strongly encourage Google to more clearly explain its data retention and disposal policies and practices, particularly those dealing with data deletion in response to a user request, and would request that you let us know how you intend to address this issue,” Stoddart said.

In addition, the new policy’s apparent removal of the separation between its various products—causing linkage of all of a user’s data together when the user logs into his or her account and uses various services—may make some users uncomfortable, according to Stoddart.

“We would strongly encourage you to make it clearer to users that if they are uncomfortable with these new uses of information, they can create separate accounts,” Stoddart said.

With respect to Android users, Stoddart pointed out that users appeared to have very little choice with regard to the ways Google would collect information from Android devices and link that information to other Google services they use.

“We would appreciate receiving comments from Google with respect to such linking of vast quantities of personal information as a condition of service to use the Android phone,” Stoddart said.

Further information on Stoddart’s letter is available here on the Canadian Privacy Commissioner’s website.

French Data Protection Authority Launches Investigation

CNIL stated that its preliminary analysis of the new policy showed that the policy did not meet the requirements of the European Data Protection Directive, particularly with regard to the information provided to data subjects.

“The new privacy policy provides only general information about all the services and types of personal data Google processes,” CNIL said. “As a consequence, it is impossible for averages users who read the new policy to distinguish which purposes, collected data, recipients or access rights are currently relevant to their use of a particular Google service.”

CNIL stated that it would send Google a full questionnaire on the matter before mid-March 2012. CNIL requested that Google “pause” its implementation of the policy until it had completed its analysis.

The text of CNIL’s letter is available here on the European Commission’s website.

1 comment:

Lulaine said...

The government is signaling to companies like Google that they will be watching very closely how they will handle consumer's concerns about their privacy. The letter indicates that Google specifically is on a lot of people's radars.