Germany Warns Google Over User Profiling Privacy Violations

Google has been warned it needs to rein in its user profiling activities in Germany because its current practice of joining the dots across multiple services is in violation of local privacy laws.

The Hamburg Data Protection Authority warned Google yesterday that its user profiling activities are violating Germany’s Telemedia Act & Federal Data Protection Act, owing to the lack of explicit user consent to how the data is processed.

The watchdog said significant changes are necessary to bring Google into legal compliance in Germany — specifying that it must gain user consent for the profiling, and allow users to control what their data is used for.

The Hamburg data protection authority noted that the kind of information Google can glean by triangulating usage of services such as YouTube, Google Maps and Gmail — so across both web and mobile — can be hugely comprehensive, including detailed data such as a user’s location, preferences, social and financial status, sexual orientation and relationship status.

Hamburg’s deputy data protection commission, Ulrich Kühn, told TechCrunch: “We see no legal grounds for such profiling across services.”

While Germany has a regional system of data protection authorities, owing to its federal state structure, the Hamburg authority told Reuters it is representing Germany as part of a European task force that is examining Google’s privacy policy.

Although the watchdog notes in the ruling that Google’s privacy policy excludes linking certain sensitive user data with advertising, it argues the company is still overreaching German law by joining up usage of multiple different services without individuals’ consent, and by not offering an opt-out.

“We ordered Google to achieve unambiguous user consent before combining user data from different services for purposes that are not strictly necessary to deliver the service. In some cases (e.g. pseudonymous user profiling), the implementation of appropriate mechanisms to opt out are sufficient,” said Kühn.

In a statement provided to the FT, the watchdog added: “On the substantial issue of combining user data across services Google has not been willing to abide by the legally binding rules and has refused to substantially improve the user’s controls. So we had to compel Google to do so by an administrative order.”

Google has four weeks from the administrative order to raise any objections, according to Kühn. “We set a timeframe of two months after non-appealability of the administrative order to comply with the requirements set therein,” he added.

Google has been under fire in Europe for some time, following its January 2012 decision to unify the privacy policies of scores of its products — allowing it to collapse the walls between multiple data silos and link user behavior across distinct services. This means that although the services remain distinct on the surface, behind the scenes their individual pipes feed into the same massive user-data reservoir.

At the start of this year the French data protection agency, CNIL, fined Google just over $200,000 for privacy violations — the highest fine it had ever issued. Albeit still a laughable small sting for a company that pulls in nearly $15 billion in revenue per quarter. Which really does beg the question of how in practice European regulators can compel a US giant to comply with local privacy laws, given the dainty claws at their disposal.

Indeed, when it comes to compelling Google to respect European law it appears to take a European Court of Justice ruling to do so — such as the so-called right to be forgotten ruling back in May, which has forced Google to accept requests from private individuals wanting outdated or irrelevant information about them de-listed from its index. Google has, however, lobbied fiercely and visibly against that ruling — and continues to do so.

In a statement on the Hamburg ruling provided to TechCrunch, a Google spokesman said: “We’ve engaged fully with the Hamburg Data Protection Authority throughout this process to explain our privacy policy and how it allows us to create simpler, more effective services. We’re now studying their order to determine next steps.”