Because the European Union acts in a “harmonized” way, those recommendations have been endorsed by data protection commissioners in several other countries. In all, some 29 regulators have backed the recommendations, including non-EU members Croatia and Lichtenstein. This is actually the first time that all of them have backed a single policy like this, the CNIL noted in the press conference today.
In Europe, some of Google’s practices are actually running afoul of existing regulations, so the practical recommendations point to this area. (These, it should be pointed out, were leaked to Reuters yesterday.)
In a press conference today, Isabelle Falque-Pierrotin of the CNIL presented the findings and recommendations to Google: they include suggesting making it clearer to users how their personal information — that includes location data and credit card data — may be used.
One example the CNIL gives has to do with credit card information and what a user enters in a “trivial” content search: “Confidentiality rules do not make difference in treatment between a trivial content search and the number of credit card or telephone user,” it writes in its report. “All these data can be used interchangeably for all the purposes mentioned in rules.”
The recommendations largely relate to actions that speak to Google’s core business: advertising. It suggests that Google needs to better explain to users how their data is collected from different services and collated, and provide a way to opt out of this if a user chooses to do so.
Google, like many others working in online advertising, is looking for ways to better target ads to users, and part of the way that they do this is by monitoring your web activity and then serving ads that are relevant based on that. Companies like Google have always maintained that they use anonymized data when doing this, but the fact remains that your data continues to be mined.
The implications of this, of course, go much wider than Google, although since Google currently is the biggest of the Internet companies making money from online ads, it is the most obvious target.
It will be interesting to see how Google reacts to this report. Again, the company has not been accused of any illegal activities, and it has four months to put in some changes. Today’s recommendations therefore could be a first step in getting Google to change its practices before the scrutiny does reach higher levels of enforceability. And it would be probably a good PR exercise for the company to respond in a positive way.
We are reaching out to Google for comment and will continue to update this story as the press conference progresses.
Update: Peter Fleischer, Google’s global privacy counsel, has given us an initial response, highlighting that there is no illegality noted in today’s findings, and possibly implying that it may not be changing anything any time soon: