Feeds

EU data bosses order Google to sort out privacy

Gmail, YouTube, Google+, search - they all know you

Choosing a cloud hosting partner with confidence

EU data regulators have told Google that it has to make changes to its new privacy policy due to "incomplete information and uncontrolled combination of data across services".

The regulators, led by France's Commission Nationale de l'Informatique (CNIL), have spent several months investigating the policy, which basically allows Google to mash up all its previous 60 policies into one document and grab data on folks from across their services.

The data authorities said today in a CNIL announcement that Google needed to make the new terms of their over-arching policy clearer for users and give those users an opt-out option for each product so they can stop information being taken from one to the other.

A letter has been sent to the search giant outlining the changes that are wanted, signed by 27 out of the 29 countries' regulators involved. But although the EU is asking for alterations to the policy, it has not yet fined or threatened to fine the firm or accused it of breaking the law.

Google's Peter Fleischer, global privacy counsel, said that it was reviewing the findings.

"Our new privacy policy demonstrates our long-standing commitment to protecting our users’ information and creating great products," he said. "We are confident that our privacy notices respect European law."

CNIL, which has been an avid critic of the new policy, headed up the probe for Europe's G29 countries and questioned Mountain View twice about the changes, but said the firm did not give "satisfactory answers" to its concerns.

Nevertheless, by analysing all the documents and mechanisms of the new policy, the data protection authorities decided that the web giant did not do enough to protect people's privacy.

"It is not possible to ascertain from the analysis that Google respects the key data protection principles of purpose limitation, data quality, data minimisation, proportionality and right to object." they said. "Indeed, the privacy policy suggests the absence of any limit concerning the scope of the collection and the potential uses of the personal data."

Google users can't figure out what categories of their personal information are being snaffled by the firm and what purpose that data is used for under the current policy, the regulators said, claiming that the policy made no distinction between the results of a search query and a credit card number.

The authorities also said that users had no control over the combination of their data across Google products like Gmail and YouTube, whether it would be used for product development or advertising or research. Google refused to give specific retention periods to CNIL, but the investigation found that the scope of data gathering was pretty broad and the information was kept for quite a while.

"The mere consultation of a website including a ‘+1' button is recorded and kept during at least 18 months and can be associated with the uses of Google's services," they said. "Data collected with the DoubleClick cookie are associated to a identifying number valid during two years and renewable."

Several of the recommendations are also backed by members of the Asia Pacific Privacy Authorities and Canada's federal privacy commissioner has similar concerns about Google, they added.

The web behemoth seems incapable of turning around these days without running into another regulatory probe. Google has just finished with a Federal Trade Commission case over ignoring do-no-track in Safari browsers, the EU is in the middle of an antitrust case that's analysing whether the firm uses its search advertising to favour its own services over competitors and that whole Street View data slurp stuff just goes on and on.

The UK ICO for its part had this to say in a statement supplied to the Reg:

We await Google's response which will be considered by the Commission Nationale de l'information et des liberties (CNIL), on behalf of the ICO and the other European data protection regulators. A decision will then be made on whether further action is required.

®

Secure remote control for conventional and virtual desktops

More from The Register

next story
Facebook pays INFINITELY MORE UK corp tax than in 2012
Thanks for the £3k, Zuck. Doh! you're IN CREDIT. Guess not
Google Glassholes are UNDATEABLE – HP exec
You need an emotional connection, says touchy-feely MD... We can do that
Just don't blame Bono! Apple iTunes music sales PLUMMET
Cupertino revenue hit by cheapo downloads, says report
US court SHUTS DOWN 'scammers posing as Microsoft, Facebook support staff'
Netizens allegedly duped into paying for bogus tech advice
Feds seek potential 'second Snowden' gov doc leaker – report
Hang on, Ed wasn't here when we compiled THIS document
Verizon bankrolls tech news site, bans tech's biggest stories
No agenda here. Just don't ever mention Net neutrality or spying, ok?
NATO declares WAR on Google Glass, mounts attack alongside MPAA
Yes, the National Association of Theater Owners is quite upset
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Top 5 reasons to deploy VMware with Tegile
Data demand and the rise of virtualization is challenging IT teams to deliver storage performance, scalability and capacity that can keep up, while maximizing efficiency.
Protecting against web application threats using SSL
SSL encryption can protect server‐to‐server communications, client devices, cloud resources, and other endpoints in order to help prevent the risk of data loss and losing customer trust.