Europe Isn’t Satisfied With Google’s Privacy Policy Are You?

    October 16, 2012
    Chris Crum

As expected, the Commission Nationale de l’Informatique (CNIL), France’s data protection authority announced today that it, along with numerous other European data protection agencies, finds Google’s privacy policy changes (made earlier this year) unsatisfactory. The authorities say that Google does not provide enough info to users on its processing of personal data, does not allow users to control the combination of data among its “many services,” and does not specify retention periods. Google believes it complies with EU law. The EU disagrees.

Are you satisfied with Google’s privacy policy? Does it go far enough? What would you change about it? Let us know in the comments.

The CNIL’s announcement begins (as translated by Google Translate):

After several months of investigation by the CNIL on new Google privacy policy came into force on 1 March, the authorities of European data protection publish their joint conclusions. They recommend clearer information to people and ask Google to give users more control over the combination of data from the many services it offers. Finally, they want Google changes the tools used to prevent excessive collection of data.

European authorities have asked Google to provide clearer and more comprehensive info about data collection and the purpose for which all data is collected. These authorities want Google to present three levels of details that they say will “ensure information meets the requirements of the directive without degrading the user experience.” They go so far as to suggest interactive presentations.

One of the biggest concerns expressed in today’s announcement is that Google is not giving users enough control of the combination of data among its services. The authorities call upon Google to strengthen the consent of people for combined data by allowing users to choose when data are combined (such as with dedicated buttons on pages of services). They specifically cite the “Search Plus Your World” button as an example of what to do.

They also suggest Google provide better user control by centralizing and simplifying the opt-out process, allowing users to choose which services they want Google to be able to combine data from with other services. In addition, they want Google to distinguish tools used for security and those used for advertising.

The announcement concludes by indicating that Google has refused to engage on data retention periods for personal data, noting that a letter was sent to Google about this, signed by 27 authorities of European data protection.

Google hasn’t said much today so far in response to all of this, though they’ve certainly responded to concerns in the past. TechCrunch did manage to squeeze a statement out of Google Global Privacy Counsel Peter Fleischer, who says, “We have received the report and are reviewing it now. Our new privacy policy demonstrates our long-standing commitment to protecting our users’ information and creating great products. We are confident that our privacy notices respect European law.”

It seems that Google is content that there is nothing in today’s announcement indicating that Google is violating any laws, which could simply mean that Google makes no changes to its privacy policy. That remains to be seen. Clearly, the authorities disagree, so this could lead to a legal battle.

You can see an 18-page response Google sent to the CNIL back in April here. In that letter, Google went through examples of its privacy notices to provide a “better understanding’ of the breadth and scale of its new privacy architecture. Here’s a sample from that letter, somewhat explaining Google’s position:

Users are accustomed to their products working together, and expect this consistent experience across their Google Account. The use of a primary privacy policy that covers many products and enables the sharing of data between them is an industry standard approach adopted by companies such as Microsoft, Facebook, Yahoo! and Apple.

Giving users easy access to their data across Google products allows them to do useful things such as immediately add an appointment to Calendar when a message in Gmail looks like it’s about a meeting; read a Google Docs memo right in Gmail; use Google+’s sharing feature, Circles, to send driving directions to family and friends without leaving Google Maps; and use a Gmail address book to auto-complete contact’s email addresses when inviting them to work on a Google Docs memo or sending them a Calendar invitation to a meeting.

Our updated Privacy Policy reflects our efforts to create one beautifully simple, intuitive user experience across Google. The main change is for users with Google Accounts. The updated Privacy Policy makes clear that, if a user is signed in, Google may combine information a user provided from one service with information from other services. In short, we can treat the user as a single user across all of our products.

Essentially, Google wants to be treated as if its various services are simply features of one central product. That’s what the privacy policy enables it to do. Would you be concerned if Facebook was using data from your Facebook searching habits to better serve you Facebook ads from your news feed? Would you be concerned if something you did using Apple’s Siri led to you getting some kind of personalized message on iOS?

This is the kind of scenario Google is thinking about from the standpoint of its own products. Many of its competitors already have products that compete with various Google services, but for the competitors, in many cases, they are simply features, rather than separate services. For example, Facebook Photos vs. Google’s Picasa Web Albums. Apple’s Maps app vs. Google Maps.

The difference is that Google has started from a somewhat different place than competitors. It has acquired and launched services that were not necessarily integrated from the beginning. They were standalone services with different destinations. The Facebook Photos vs. Picasa Web Albums is a prime example of the difference. Facebook Photos are just part of Facebook, whereas Picasa Web Albums have historically been a completely separate product from other Google products.

Still, Google owns all of these products, and it makes sense both from a business standpoint, and from the standpoint of a user who uses numerous Google products under a central Google login.

Should Google be treated differently because of the product strategy it has followed over the years. There is so much talk about whether Google is anticompetitive or not. Wouldn’t preventing Google from being able to use its products together in ways that make business sense and improve the user experience only hurt Google’s ability to compete?

You can find Google’s privacy policy here.

Should Google have to make changes to its privacy policy? Let us know what you think.