Feeds

EU data bosses order Google to sort out privacy

Gmail, YouTube, Google+, search - they all know you

Top 5 reasons to deploy VMware with Tegile

EU data regulators have told Google that it has to make changes to its new privacy policy due to "incomplete information and uncontrolled combination of data across services".

The regulators, led by France's Commission Nationale de l'Informatique (CNIL), have spent several months investigating the policy, which basically allows Google to mash up all its previous 60 policies into one document and grab data on folks from across their services.

The data authorities said today in a CNIL announcement that Google needed to make the new terms of their over-arching policy clearer for users and give those users an opt-out option for each product so they can stop information being taken from one to the other.

A letter has been sent to the search giant outlining the changes that are wanted, signed by 27 out of the 29 countries' regulators involved. But although the EU is asking for alterations to the policy, it has not yet fined or threatened to fine the firm or accused it of breaking the law.

Google's Peter Fleischer, global privacy counsel, said that it was reviewing the findings.

"Our new privacy policy demonstrates our long-standing commitment to protecting our users’ information and creating great products," he said. "We are confident that our privacy notices respect European law."

CNIL, which has been an avid critic of the new policy, headed up the probe for Europe's G29 countries and questioned Mountain View twice about the changes, but said the firm did not give "satisfactory answers" to its concerns.

Nevertheless, by analysing all the documents and mechanisms of the new policy, the data protection authorities decided that the web giant did not do enough to protect people's privacy.

"It is not possible to ascertain from the analysis that Google respects the key data protection principles of purpose limitation, data quality, data minimisation, proportionality and right to object." they said. "Indeed, the privacy policy suggests the absence of any limit concerning the scope of the collection and the potential uses of the personal data."

Google users can't figure out what categories of their personal information are being snaffled by the firm and what purpose that data is used for under the current policy, the regulators said, claiming that the policy made no distinction between the results of a search query and a credit card number.

The authorities also said that users had no control over the combination of their data across Google products like Gmail and YouTube, whether it would be used for product development or advertising or research. Google refused to give specific retention periods to CNIL, but the investigation found that the scope of data gathering was pretty broad and the information was kept for quite a while.

"The mere consultation of a website including a ‘+1' button is recorded and kept during at least 18 months and can be associated with the uses of Google's services," they said. "Data collected with the DoubleClick cookie are associated to a identifying number valid during two years and renewable."

Several of the recommendations are also backed by members of the Asia Pacific Privacy Authorities and Canada's federal privacy commissioner has similar concerns about Google, they added.

The web behemoth seems incapable of turning around these days without running into another regulatory probe. Google has just finished with a Federal Trade Commission case over ignoring do-no-track in Safari browsers, the EU is in the middle of an antitrust case that's analysing whether the firm uses its search advertising to favour its own services over competitors and that whole Street View data slurp stuff just goes on and on.

The UK ICO for its part had this to say in a statement supplied to the Reg:

We await Google's response which will be considered by the Commission Nationale de l'information et des liberties (CNIL), on behalf of the ICO and the other European data protection regulators. A decision will then be made on whether further action is required.

®

Beginner's guide to SSL certificates

More from The Register

next story
Facebook pays INFINITELY MORE UK corp tax than in 2012
Thanks for the £3k, Zuck. Doh! you're IN CREDIT. Guess not
Happiness economics is bollocks. Oh, UK.gov just adopted it? Er ...
Opportunity doesn't knock; it costs us instead
YARR! Pirates walk the plank: DMCA magnets sink in Google results
Spaffing copyrighted stuff over the web? No search ranking for you
In the next four weeks, 100 people will decide the future of the web
While America tucks into Thanksgiving turkey, the world will be taking over the net
Microsoft EU warns: If you have ties to the US, Feds can get your data
European corps can't afford to get complacent while American Big Biz battles Uncle Sam
Don't bother telling people if you lose their data, say Euro bods
You read that right – with the proviso that it's encrypted
prev story

Whitepapers

Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.