5 Comments

Summary:

The UK’s data protection authority has ordered Google to change its privacy policy, while action is also being taken in Germany and Spain. The company faces an increasingly co-ordinated regulatory adversary.

privacy

A few months ago, Europe’s privacy authorities opened investigations into Google’s unified privacy policy, which Google introduced at the start of 2012 to allow it to share data across its various services. The EU data protection authorities argued that this sharing went too far for many users, as people may not want YouTube views, search queries and Gmail keywords tossed into the same pot, and may not even realize that Google is doing this.

Now we’re starting to see action. The UK Information Commissioner’s Office (ICO) has ordered Google to make its privacy policy easier to understand and the data protection authorities in Germany have also begun proceedings against the company (Spain did the same on 20 June).

“Formal enforcement action”

Here’s what the ICO said:

“We believe that the updated policy does not provide sufficient information to enable UK users of Google’s services to understand how their data will be used across all of the company’s products.

“Google must now amend their privacy policy to make it more informative for individual service users. Failure to take the necessary action to improve the policies compliance with the Data Protection Act by 20 September will leave the company open to the possibility of formal enforcement action.”

In response to the actions taking place in the UK, Germany and Spain, Google’s merely trotted out the exact same line it’s previously used: “Our privacy policy respects European law and allows us to create simpler, more effective services. We have engaged fully with the authorities involved throughout this process, and we’ll continue to do so going forward.”

According to the authorities, none of this – perhaps barring the creation of simpler services – is true. The data protection officials in the Article 29 Working Party group specifically said Google had not provided satisfactory answers, and that the unified privacy policy was not compliant with EU law.

Unified policy, unified response

Thing is, the immediate enforcement action these authorities can take is relatively toothless, particularly for an adversary with deep pockets. We’re talking fines in the hundreds of thousands of euros – hardly enough to make a company like Google sweat. However, Google would be mistaken if it thought it could just brush off their concerns.

There are two reasons for this, the first being the ability of authorities such as ICO to go to the courts and seek a legal order forcing Google to change its ways. I know of no precedent in the UK for this, but the power is there and Google may find itself on the sharp end of it if the company carries on pretending there’s no issue.

The second reason may be more fundamental in the long term: we’re increasingly seeing data protection authorities coordinate their actions in response to companies, like Google, that operate on a cross-border basis. Although international laws do vary, this is even starting to happen at the global level.

Just look at the joint letter sent to Larry Page last month about potential privacy concerns around Google Glass. That letter was signed by data protection authorities from the EU, Canada, Mexico, Israel, Switzerland, New Zealand and Australia.

Privacy officials are clearly waking up to the concept of strength in numbers, not to mention the fact that they can respond more quickly to technological change by cutting down on duplicated efforts. It’s also much harder, even for a company with Google’s resources, to effectively lobby authorities that are all talking to one another.

There’s no question that a unified privacy policy helps Google run its business more efficiently. But it may just find its actions elicit a unified reaction that it would rather not face.

  1. Sic ‘em!

    Share
  2. The real threat to Google and other American companies is the NSA spying scandal. As companies (and individuals) wrap their head around this whole privacy issue we may well see a migration to European cloud and SaS providers where a more heavily regulated privacy infrastructure exists.

    Share
  3. ernest taylor Saturday, July 6, 2013

    You have to be a real sick bastard to spy on people in there home

    Share
  4. Google will begin to meet with regulators biweekly. Almunia was able to modify Google’s technical approach to Search in way that turned turned out to be mutually beneficial for Google and EU users (MS not so beneficial but better than nothing). A similar session of meetings with the EU over security/privacy/and assured user controls over privacy is coming up next year. Some wordsmithing of policy now could foreshadow technical improvements in future years.

    Share
  5. Drat! Those pesky privacy concerned European countries are making it difficult for Google. If only they could be more like the kleptocratic corporatocracy known as the US which willingly allows any corporation to come along with the usual lobbyists to make the rules for the rest of us peons.

    Share

Comments have been disabled for this post