The pressure on companies to adapt to stronger privacy regulation and enforcement in the EU increased this week, following the release of a letter to Google on behalf of 30 European data-protection commissioners.

On October 16, 2012, the Article 29 Data Protection Working Party publicly disclosed the correspondence it sent simultaneously to Google following the investigation into Google’s new privacy policy that started in February this year. In the correspondence (letter and appendix), the European data protection authorities formally put significant pressure on Google, as a leader in the online world, to publicly commit to key data protection principles and to bring changes to its privacy policy and practices by implementing what are termed as “recommendations”; whether they are really “recommendations” or mandatory modification will remain to be seen if Google does not play ball.

The Asia Pacific Privacy Authorities have also issued a public letter supporting the findings and recommendations of the Article 29 Working Party and stressing that Google, as a market leader, has the responsibility to set a high benchmark for service that others will emulate.

The story starts back in January 2012, when Google announced that it would merge its existing 60+ privacy policies into one single policy effective as of March 1, 2012. This announcement prompted the Article 29 Working Party to launch an investigation to assess whether this new privacy policy complied with the European data protection legislation. The Working Party appointed the CNIL, the French data protection regulator, to lead this investigation on its behalf.

The changes that the authorities are calling for include the following:

1. Google should provide a better information to its users on its processing of personal data.

The Working Party concludes that Google’s current policy fails to respect the obligation of transparency as set out in the European legislation.

The Working Party thus asks Google to make numerous improvements, including:

  • to provide clearer and more comprehensive information for each type of “processing (e.g. use of data) setting out the purposes and categories of data (implying that privacy policies that set out all categories of data collected under one heading and all types of processing under separate headings are no longer best practice, as the detail needs to be provided on a use by use basis);
  • to define an architecture of privacy notices. Such architecture could be based on three levels of details, i.e. (1) in-product privacy notices and interstitial notices, (2) the current privacy policy in an updated version addressing the Party’s concern, and (3) product-specific information; and
  • to develop interactive presentations that allow users to navigate easily through the content of the policies.

2. Google should provide a better user control over the combination of data across its services.

The Working Party is concerned that the privacy policy allows Google to combine almost any data from any services for any purposes in breach of the key data protection principles of legitimacy and proportionality. 

The Working Party asks Google to modify its practices when combining data across services, including:

  • seek users’ consent to the combination of data for the purposes of service improvements, development of new services, advertising and analytics;
  • offer improved control over the combination of data by simplifying and centralizing the right to object (opt-out) and by allowing users to choose the services for which their data can be combined; and
  • adapt the tools used by Google for the combination of data so that any use of combined data remains limited to the authorized purposes.

3. Google should enforce adequate retention periods.

The Working Party stresses that, despite repeated requests during the investigation, Google refused to provide a maximum or typical retention period for the personal data it processes.

The Working Party thus invites Google to define more clearly the retention period of personal data, especially for the following actions: requests for deletion of content, cancellation of a specific service and deletion of account.

In a public statement that followed the publication of the letter and appendix, the Chairman of the CNIL said that Google had not shown the level of cooperation they were expecting during the investigation.  The CNIL also indicated that, although the letter sets forth no deadline, the authorities expect Google to bring changes to its privacy policy and processing within the next 3 to 4 months, absent which Google could be exposed to sanctions by the various EU authorities for violation of the European legislation.

Whether the letter (with the emphasis on what Google “should” do, not “must” do) represents a conscious decision to avoid direct confrontation, or (as some believe) merely a step in a process towards formal enforcement action remains to be seen.  Either way, any online companies with EU users will be well served to examine their own data sharing, uses, and disclosure practices in light of these unified EU criticisms of Google’s new universal privacy policy.