Upon the eve of Google’s new and controversial Privacy Policy going into effect, the tech company received a resounding rebuke from the European Union yesterday as France’s regulator said that the new policy seems to violates the EU’s rules regarding data protection. Given the possibility, CNIL, the French administrative authority that monitors how companies collect and store personal data of users, was not won over by Google.
With their initial findings not pleasing, CNIL penned a letter to Google CEO Larry Page on Monday that chided the company for failing to actually consult with authorities prior to announcing the new privacy policy. Further, CNIL suggests that Google exaggerated claims that “data protection authorities across the EU had been ‘extensively pre-briefed.'” As it were, it turns out Google only contacted a sample of the authorities and, even then, only did so mere hours before the announcement of the new privacy policy. Ultimately, CNIL declares that “Google’s new privacy policy does not meet the requirements of the European Directive on Data Protection, especially regarding the information provided to data subjects.”
But just because the EU put Google on the ropes didn’t mean that they were going to start pulling punches. The letter continues to scold Google the way a sagacious parent might discipline a crass, ill-tempered child.
The fact that Google informs users about what it will not do with the data (such as sharing personal data with advertisers) is not sufficient to provide comprehensive information either.
Rather than promoting transparency, the terms of the new policy and the fact that Google claims publicly that it will combine data across services raises fears about Google’s actual practices. Our preliminary investigation shows that it is extremely difficult to know exactly which data is combined between which services for which purposes even for trained privacy professionals.
The CNIL and the EU data protection authorities are deeply concerned about the combination of personal data across services: they have strong doubts about the lawfulness and fairness of such processing, and about its compliance with European Data Protection legislation.
CNIL concluded by saying that they will “fully address” this issue within the next few weeks, but by then who knows what further trouble will have arisen in the muck of Google’s new policy. In the meantime, CNIL has asked Google for a “pause” in implementing the new privacy policy.
To that last note, Peter Fleischer, Google’s global privacy counsel, said, “We have notified over 350 million authenticated Google users and provided highly visible notifications on our home page and in search results for our non-authenticated users. To pause now would cause a great deal of confusion for users.”
No, enacting a new and poorly understood privacy policy will cause confusion for users, Mr. Fleischer. It’s not like the launch of this new privacy policy is some runaway locomotive on a downhill plummet that can’t possibly be halted without causing the collateral deaths of every passenger onboard. It’s a user policy. You most definitely can delay its application. But instead, Google has opted to amorally go with the “Gimme it, it’s mine!” approach to user privacy, information in general, and its disdain for international laws.
