EU regulators fire warning shots across Google's bow on data privacy

News by Steve Gold

EU vs Google: the data privacy battle continues...

Google appears to be skating on thin ice once again with EU regulators, after it apparently failed to act on a draft privacy specification presented at an early July meeting between the search engine giant and no less than five European data protection authorities   

According to a published letter from Isabelle Falque-Pierrotin, the chair of the EU's Article 29 data protection working party, at the 2 July meeting, Google was presented with a draft specification on data privacy.

In this week's letter
, however, Falque-Pierrotin says that Google must meet its obligations with respect to the European and national data protection legal frameworks and now has to determine the means to achieve these legal requirements.

"In order to guide Google in this compliance effort, the Article 29 Working Party [an EU umbrella data privacy organisation] has developed guidelines containing a common list of measures that your company could implement. A draft version was presented to representatives of Google on 2 July 2014, at a meeting in Paris in the presence of five European Data protection authorities," said the 23 September letter.

"The guidelines have been elaborated in the context of this specific coordinated EU investigation into Google's privacy policy. The Article 29 Working Party may also consider issuing guidance on specific issues to the entire industry, at a later stage," it added.

Whilst Working Party 29 cannot sanction Google directly, its members have imposed financial penalties in several cases following Google's 2012 changes to its privacy policy, which various national privacy regulators found to be in breach of EU rules.

The EU working party is now looking to Google to update its privacy policy so that it features clear, unambiguous and comprehensive information regarding data processing, including a list of the types of personal data processed.

According to the Reuters newswire, data regulators in six European countries - Italy, France, Spain, Germany, Britain and the Netherlands - have already opened investigations into Google after it consolidated its 60 privacy policies into one and started combining data collected on individual users across its services, including YouTube, Gmail and Google Maps.

The problem with this new policy, says the newswire, is that it gives users no means to opt out of the programme.

The opt-out issue was also picked up by Nigel Stanley, practice director for cyber security, risk and compliance with OpenSky, who told that there really needs to be this facility for those Internet users that are concerned about their own data being collated by Google.

Educating Internet users

"We are also at the stage where we need to educate as many internet users as possible that their data is being collated by free services like Google and what, exactly, it is being used for," he explained.

Stanley went on to say that it was perhaps inevitable that Google - because of its sheer size - would come under the scrutiny of EU and EU member country data regulators.

"There's no doubt that many of Google's services are very useful to users, but even though they are free, they come at a price. And that price is the surrender of elements of your personal information," he explained.

Stanley went on to say that, because of these issues the data privacy issue is starting to develop into an arms race between Google and the various regulators.

He says that the arms race is because Google's business is quite simple: the collection of data on its users, meaning that the `discussions' are likely to turn into a war of attrition.

"You won't stop Google from the process of collecting data - as new rules are imposed, it will diversify, and it is to be hoped that the regulator will be equally as agile in controlling these changes in Google's actions," he said.

Richard Cassidy, senior solutions architect with Alert Logic, meanwhile, said that the EU is dealing with a very complex set of challenges.

"Global organisations of the ilk of Google are going to be intrinsically difficult to control from a data-privacy perspective, due to the simple fact that data-privacy laws vary greatly from country to country. We have yet to see a unified global data privacy law agreed on by all major governments, and many are still building their own templates from the `Swedish Data-Act' first drafted back in the 1970's, at a time when we had a very different technology landscape with limited data mining, analytics and farming capabilities," he explained.

According to Cassidy, we live in an age where a great deal of the services we rely on, to go about our daily lives, involves the use of technology and online services.

Freedom of information

"Freedom of information is a key part of the discussion, however individuals need a great degree of control (in a non-complex manner) of what level of information can remain free about them in the public domain and - more importantly - how that information is protected. That said however, organisations like Google do not do themselves any favours, given their existing privacy policy, which, when all has been said and done, leaves a great deal of ambiguity left and a large degree of carte blanche in how our personal data 'might' be used by them," he said.

"It would seem therefore that a great deal of what was communicated by the Article 29 Working Party has yet to be incorporated into Google's privacy policy. The fact of the matter is, no single company can be above the laws of any country, regardless of their corporate headquarters and major development centres," he added.

Cassidy concluded that this the letter and allied actions represent a very important move by the EU - "one that not only highlights the need for a global consensus and agreement on international privacy laws, but that also demonstrates the need for technology organisations to do a great deal more to ensure their services adhere to the data-privacy requirements in the countries in which it chooses to operate."


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews