Feeds

EU data bosses order Google to sort out privacy

Gmail, YouTube, Google+, search - they all know you

Security for virtualized datacentres

EU data regulators have told Google that it has to make changes to its new privacy policy due to "incomplete information and uncontrolled combination of data across services".

The regulators, led by France's Commission Nationale de l'Informatique (CNIL), have spent several months investigating the policy, which basically allows Google to mash up all its previous 60 policies into one document and grab data on folks from across their services.

The data authorities said today in a CNIL announcement that Google needed to make the new terms of their over-arching policy clearer for users and give those users an opt-out option for each product so they can stop information being taken from one to the other.

A letter has been sent to the search giant outlining the changes that are wanted, signed by 27 out of the 29 countries' regulators involved. But although the EU is asking for alterations to the policy, it has not yet fined or threatened to fine the firm or accused it of breaking the law.

Google's Peter Fleischer, global privacy counsel, said that it was reviewing the findings.

"Our new privacy policy demonstrates our long-standing commitment to protecting our users’ information and creating great products," he said. "We are confident that our privacy notices respect European law."

CNIL, which has been an avid critic of the new policy, headed up the probe for Europe's G29 countries and questioned Mountain View twice about the changes, but said the firm did not give "satisfactory answers" to its concerns.

Nevertheless, by analysing all the documents and mechanisms of the new policy, the data protection authorities decided that the web giant did not do enough to protect people's privacy.

"It is not possible to ascertain from the analysis that Google respects the key data protection principles of purpose limitation, data quality, data minimisation, proportionality and right to object." they said. "Indeed, the privacy policy suggests the absence of any limit concerning the scope of the collection and the potential uses of the personal data."

Google users can't figure out what categories of their personal information are being snaffled by the firm and what purpose that data is used for under the current policy, the regulators said, claiming that the policy made no distinction between the results of a search query and a credit card number.

The authorities also said that users had no control over the combination of their data across Google products like Gmail and YouTube, whether it would be used for product development or advertising or research. Google refused to give specific retention periods to CNIL, but the investigation found that the scope of data gathering was pretty broad and the information was kept for quite a while.

"The mere consultation of a website including a ‘+1' button is recorded and kept during at least 18 months and can be associated with the uses of Google's services," they said. "Data collected with the DoubleClick cookie are associated to a identifying number valid during two years and renewable."

Several of the recommendations are also backed by members of the Asia Pacific Privacy Authorities and Canada's federal privacy commissioner has similar concerns about Google, they added.

The web behemoth seems incapable of turning around these days without running into another regulatory probe. Google has just finished with a Federal Trade Commission case over ignoring do-no-track in Safari browsers, the EU is in the middle of an antitrust case that's analysing whether the firm uses its search advertising to favour its own services over competitors and that whole Street View data slurp stuff just goes on and on.

The UK ICO for its part had this to say in a statement supplied to the Reg:

We await Google's response which will be considered by the Commission Nationale de l'information et des liberties (CNIL), on behalf of the ICO and the other European data protection regulators. A decision will then be made on whether further action is required.

®

Remote control for virtualized desktops

More from The Register

next story
Facebook pays INFINITELY MORE UK corp tax than in 2012
Thanks for the £3k, Zuck. Doh! you're IN CREDIT. Guess not
Google Glassholes are UNDATEABLE – HP exec
You need an emotional connection, says touchy-feely MD... We can do that
Lawyers mobilise angry mob against Apple over alleged 2011 Macbook Pro crapness
We suffered 'random bouts of graphical distortion' - fanbois
Just don't blame Bono! Apple iTunes music sales PLUMMET
Cupertino revenue hit by cheapo downloads, says report
US court SHUTS DOWN 'scammers posing as Microsoft, Facebook support staff'
Netizens allegedly duped into paying for bogus tech advice
Feds seek potential 'second Snowden' gov doc leaker – report
Hang on, Ed wasn't here when we compiled THIS document
Verizon bankrolls tech news site, bans tech's biggest stories
No agenda here. Just don't ever mention Net neutrality or spying, ok?
Inside the EYE of the TORnado: From Navy spooks to Silk Road
It's hard enough to peel the onion, are you hard enough to eat the core?
prev story

Whitepapers

Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Protecting users from Firesheep and other Sidejacking attacks with SSL
Discussing the vulnerabilities inherent in Wi-Fi networks, and how using TLS/SSL for your entire site will assure security.