Google appears to be skating on thin ice once again with EU regulators, after it apparently failed to act on a draft privacy specification presented at an early July meeting between the search engine giant and no less than five European data protection authorities
According to a published letter from Isabelle Falque-Pierrotin, the chair of the EU's Article 29 data protection working party, at the 2 July meeting, Google was presented with a draft specification on data privacy.
In this week's letter, however, Falque-Pierrotin says that Google must meet its obligations with respect to the European and national data protection legal frameworks and now has to determine the means to achieve these legal requirements.
"In order to guide Google in this compliance effort, the Article 29 Working Party [an EU umbrella data privacy organisation] has developed guidelines containing a common list of measures that your company could implement. A draft version was presented to representatives of Google on 2 July 2014, at a meeting in Paris in the presence of five European Data protection authorities," said the 23 September letter.
According to the Reuters newswire, data regulators in six European countries - Italy, France, Spain, Germany, Britain and the Netherlands - have already opened investigations into Google after it consolidated its 60 privacy policies into one and started combining data collected on individual users across its services, including YouTube, Gmail and Google Maps.
The problem with this new policy, says the newswire, is that it gives users no means to opt out of the programme.
The opt-out issue was also picked up by Nigel Stanley, practice director for cyber security, risk and compliance with OpenSky, who told SCMagazineUK.com that there really needs to be this facility for those Internet users that are concerned about their own data being collated by Google.
Educating Internet users
"We are also at the stage where we need to educate as many internet users as possible that their data is being collated by free services like Google and what, exactly, it is being used for," he explained.
Stanley went on to say that it was perhaps inevitable that Google - because of its sheer size - would come under the scrutiny of EU and EU member country data regulators.
"There's no doubt that many of Google's services are very useful to users, but even though they are free, they come at a price. And that price is the surrender of elements of your personal information," he explained.
Stanley went on to say that, because of these issues the data privacy issue is starting to develop into an arms race between Google and the various regulators.
He says that the arms race is because Google's business is quite simple: the collection of data on its users, meaning that the `discussions' are likely to turn into a war of attrition.
"You won't stop Google from the process of collecting data - as new rules are imposed, it will diversify, and it is to be hoped that the regulator will be equally as agile in controlling these changes in Google's actions," he said.
Richard Cassidy, senior solutions architect with Alert Logic, meanwhile, said that the EU is dealing with a very complex set of challenges.
"Global organisations of the ilk of Google are going to be intrinsically difficult to control from a data-privacy perspective, due to the simple fact that data-privacy laws vary greatly from country to country. We have yet to see a unified global data privacy law agreed on by all major governments, and many are still building their own templates from the `Swedish Data-Act' first drafted back in the 1970's, at a time when we had a very different technology landscape with limited data mining, analytics and farming capabilities," he explained.
According to Cassidy, we live in an age where a great deal of the services we rely on, to go about our daily lives, involves the use of technology and online services.
Freedom of information
Cassidy concluded that this the letter and allied actions represent a very important move by the EU - "one that not only highlights the need for a global consensus and agreement on international privacy laws, but that also demonstrates the need for technology organisations to do a great deal more to ensure their services adhere to the data-privacy requirements in the countries in which it chooses to operate."