The changes, the biggest of which will be completed by June 2015 , will put Google in line with the UK’s Data Protection Act, and will also see the company taking steps over the next two years for further improvements. It will also carry out user testing in the process. We’re embedding the full document below.
In a statement, Steve Eckersley, head of enforcement at the ICO, pointed out that Google had not been found to cause “substantial damage and distress to consumers” but that the changes were necessary anyway:
“This undertaking marks a significant step forward following a long investigation and extensive dialogue. Google’s commitment today to make these necessary changes will improve the information UK consumers receive when using their online services and products.
“Whilst our investigation concluded that this case hasn’t resulted in substantial damage and distress to consumers, it is still important for organisations to properly understand the impact of their actions and the requirement to comply with data protection law. Ensuring that personal data is processed fairly and transparently is a key requirement of the Act.
“This investigation has identified some important learning points not only for Google, but also for all organisations operating online, particularly when they seek to combine and use data across services. It is vital that there is clear and effective information available to enable users to understand the implications of their data being combined. The detailed agreement Google has signed setting out its commitments will ensure that.”
The settlement document, co-signed by Google’s general counsel/SVP Kent Walker and UK information commissioner Christopher Graham, is not quick reading. The majority of it is a rundown of what has happened in the last three years, from the introduction of Google’s policy, explaining what it does, and how the ICO started to investigate it. Probably the most important part of it for now is the list of seven commitments that Google has made for what it will do in the future:
- Ensure that there is continued evaluation of the privacy impact of future changes to processing which might not be within the reasonable expectations of service users so that users are provided with prompt and adequate notice of such processing;
- Provide a report to the Commissioner by August 2015 setting out the steps which the data controller has taken in response to the commitments set out in this undertaking.
Google has been in the spotlight in Europe over regulatory issues for years. The biggest of these have been in the arena of antitrust, and specifically the company’s dominance in areas like search and online advertising. These investigations are still ongoing, after the previous antitrust commissioner’s provisional settlement with Google was so roundly criticised for being too weak that it was sent back for further scrutiny. Now, with a new commissioner at the helm, we are effectively back at or near square one.
Separately, Google has been under a lot of scrutiny over how it handles personal data. People are still debating whether the RTBF rules — which effectively mean that Google and other search companies have to remove links in its search results for private individuals if those individuals request them to be taken down — violate freedom of information, or are the fairest way of ensuring individual control over our privacy. (Companies like Wikipedia are interestingly in opposition to RTBF.)
Document below. More to come.