European Data Regulators Slam Google Over Privacy Policy: “Too Large” And Users Need More Control (But Not Illegal)

Authorities in Europe today kicked off a fresh wave of scrutiny over Google’s privacy policy and called for changes to be made in how Google manages user data, describing Google’s scope as “too large”. But they also stopped short of saying Google is acting illegally in how it manages privacy or demanding a change in its wider policy. France’s data protection authority, the Commission Nationale de l’Informatique (CNIL), today published a list of recommendations for the company in the area of user privacy, following an investigation that began earlier this year.

It will be worth watching to see how effective today’s report is: Google has three to four months to comply with these recommendations; otherwise it may face sanctions. Quite possibly that might also lead to escalated investigations, but there are, at this point, no fines or even demands that Google actually change its privacy policy.

Because the European Union acts in a “harmonized” way, those recommendations have been endorsed by data protection commissioners in several other countries. In all, some 29 regulators have backed the recommendations, including non-EU members Croatia and Lichtenstein. This is actually the first time that all of them have backed a single policy like this, the CNIL noted in the press conference today.

The investigation was sparked after Google changed its privacy policy, completing the process in March and combining some 60 different policies across its different online services — search, Gmail, YouTube, Google+, and more — into a single user privacy agreement. Google currently does not give users an easy way to opt out of that policy. The CNIL says that acting in coordination with the other regulators in the group of 29, it sent two questionnaires to Google, in April and June, but that its responses were not satisfactory.

In Europe, some of Google’s practices are actually running afoul of existing regulations, so the practical recommendations point to this area. (These, it should be pointed out, were leaked to Reuters yesterday.)

In a press conference today, Isabelle Falque-Pierrotin of the CNIL presented the findings and recommendations to Google: they include suggesting making it clearer to users how their personal information — that includes location data and credit card data — may be used.

One example the CNIL gives has to do with credit card information and what a user enters in a “trivial” content search: “Confidentiality rules do not make difference in treatment between a trivial content search and the number of credit card or telephone user,” it writes in its report. “All these data can be used interchangeably for all the purposes mentioned in rules.”

The recommendations largely relate to actions that speak to Google’s core business: advertising. It suggests that Google needs to better explain to users how their data is collected from different services and collated, and provide a way to opt out of this if a user chooses to do so.

Google, like many others working in online advertising, is looking for ways to better target ads to users, and part of the way that they do this is by monitoring your web activity and then serving ads that are relevant based on that. Companies like Google have always maintained that they use anonymized data when doing this, but the fact remains that your data continues to be mined.

The implications of this, of course, go much wider than Google, although since Google currently is the biggest of the Internet companies making money from online ads, it is the most obvious target.

It will be interesting to see how Google reacts to this report. Again, the company has not been accused of any illegal activities, and it has four months to put in some changes. Today’s recommendations therefore could be a first step in getting Google to change its practices before the scrutiny does reach higher levels of enforceability. And it would be probably a good PR exercise for the company to respond in a positive way.

And although there is no legal rider today, that doesn’t mean that the recommendations will not result in action from Google. Last month, Facebook had its own run-in with data protection authorities — in its case in Ireland, where it too was given “recommendations” for changes to put in place with its privacy policy. There, Facebook has worked with the DPA to implement those changes covering how users can access and delete their Facebook data, and going so far as to even (temporarily) shelve its Tag Suggest feature to automatically identify and tag faces in photos.

We are reaching out to Google for comment and will continue to update this story as the press conference progresses.

Update: Peter Fleischer, Google’s global privacy counsel, has given us an initial response, highlighting that there is no illegality noted in today’s findings, and possibly implying that it may not be changing anything any time soon:

“We have received the report and are reviewing it now. Our new privacy policy demonstrates our long-standing commitment to protecting our users’ information and creating great products. We are confident that our privacy notices respect European law.”