Google Settles With UK’s Information Commissioner And Will Change Its Privacy Policy

While Google continues to work through implementing Right To Be Forgotten legislation in Europe, there are some more developments around how Google handles consumer data and privacy. The search giant has reached an agreement with the UK’s Information Commissioner’s Office over how it collects personal data in the country, signing and publishing a lengthy document outlining its commitment to make changes to its current privacy policy (the one first unveiled in January 2012 and implemented in March 2012 in Europe, which basically pulled together 70 of Google’s existing privacy policies).

The changes, the biggest of which will be completed by June 2015 , will put Google in line with the UK’s Data Protection Act, and will also see the company taking steps over the next two years for further improvements. It will also carry out user testing in the process. We’re embedding the full document below.

In a statement, Steve Eckersley, head of enforcement at the ICO, pointed out that Google had not been found to cause “substantial damage and distress to consumers” but that the changes were necessary anyway:

“This undertaking marks a significant step forward following a long investigation and extensive dialogue. Google’s commitment today to make these necessary changes will improve the information UK consumers receive when using their online services and products.

“Whilst our investigation concluded that this case hasn’t resulted in substantial damage and distress to consumers, it is still important for organisations to properly understand the impact of their actions and the requirement to comply with data protection law. Ensuring that personal data is processed fairly and transparently is a key requirement of the Act.

“This investigation has identified some important learning points not only for Google, but also for all organisations operating online, particularly when they seek to combine and use data across services. It is vital that there is clear and effective information available to enable users to understand the implications of their data being combined. The detailed agreement Google has signed setting out its commitments will ensure that.”

The settlement document, co-signed by Google’s general counsel/SVP Kent Walker and UK information commissioner Christopher Graham, is not quick reading. The majority of it is a rundown of what has happened in the last three years, from the introduction of Google’s policy, explaining what it does, and how the ICO started to investigate it. Probably the most important part of it for now is the list of seven commitments that Google has made for what it will do in the future:

  1. Carry out the steps set out in Annex 1 with regards to the accessibility and content of the Privacy Policy and associated web content by 30 June 2015 [ie make it more accessible to ordinary consumers to see and understand];
  2. Ensure that there is continued evaluation of the privacy impact of future changes to processing which might not be within the reasonable expectations of service users so that users are provided with prompt and adequate notice of such processing;
  3. Keep the content of the Privacy Policy and associated web content under review and take appropriate actions so that service users are informed as to the ways in which their personal data may be processed;
  4. Keep the overlay examples for the Privacy Policy under review to ensure that informative and relevant examples are always in use;
  5. Continue to ensure that any significant future changes to the Privacy Policy are reviewed by user experience specialists and with representative user groups before the policy and associated tools are launched as appropriate;
  6. Continue to pro-actively cooperate with the Commissioner and provide appropriate advance notice of any significant changes, and respond promptly to enquiries relating to the ways in which Google processes user data and its proposals for consequential changes to the Privacy Policy and supporting web content;
  7. Provide a report to the Commissioner by August 2015 setting out the steps which the data controller has taken in response to the commitments set out in this undertaking.

Google has been in the spotlight in Europe over regulatory issues for years. The biggest of these have been in the arena of antitrust, and specifically the company’s dominance in areas like search and online advertising. These investigations are still ongoing, after the previous antitrust commissioner’s provisional settlement with Google was so roundly criticised for being too weak that it was sent back for further scrutiny. Now, with a new commissioner at the helm, we are effectively back at or near square one.

Separately, Google has been under a lot of scrutiny over how it handles personal data. People are still debating whether the RTBF rules — which effectively mean that Google and other search companies have to remove links in its search results for private individuals if those individuals request them to be taken down — violate freedom of information, or are the fairest way of ensuring individual control over our privacy. (Companies like Wikipedia are interestingly in opposition to RTBF.)

In the meantime, Google is still fighting how it can carry out the privacy policy introduced in 2012. It has faced trouble in Europe before: in 2013, the data protection authority in Holland also ruled that Google had violated its policies and forced the company to change how it discloses information to consumers in the country.

Document below. More to come.