Feeds

EU data bosses order Google to sort out privacy

Gmail, YouTube, Google+, search - they all know you

Secure remote control for conventional and virtual desktops

EU data regulators have told Google that it has to make changes to its new privacy policy due to "incomplete information and uncontrolled combination of data across services".

The regulators, led by France's Commission Nationale de l'Informatique (CNIL), have spent several months investigating the policy, which basically allows Google to mash up all its previous 60 policies into one document and grab data on folks from across their services.

The data authorities said today in a CNIL announcement that Google needed to make the new terms of their over-arching policy clearer for users and give those users an opt-out option for each product so they can stop information being taken from one to the other.

A letter has been sent to the search giant outlining the changes that are wanted, signed by 27 out of the 29 countries' regulators involved. But although the EU is asking for alterations to the policy, it has not yet fined or threatened to fine the firm or accused it of breaking the law.

Google's Peter Fleischer, global privacy counsel, said that it was reviewing the findings.

"Our new privacy policy demonstrates our long-standing commitment to protecting our users’ information and creating great products," he said. "We are confident that our privacy notices respect European law."

CNIL, which has been an avid critic of the new policy, headed up the probe for Europe's G29 countries and questioned Mountain View twice about the changes, but said the firm did not give "satisfactory answers" to its concerns.

Nevertheless, by analysing all the documents and mechanisms of the new policy, the data protection authorities decided that the web giant did not do enough to protect people's privacy.

"It is not possible to ascertain from the analysis that Google respects the key data protection principles of purpose limitation, data quality, data minimisation, proportionality and right to object." they said. "Indeed, the privacy policy suggests the absence of any limit concerning the scope of the collection and the potential uses of the personal data."

Google users can't figure out what categories of their personal information are being snaffled by the firm and what purpose that data is used for under the current policy, the regulators said, claiming that the policy made no distinction between the results of a search query and a credit card number.

The authorities also said that users had no control over the combination of their data across Google products like Gmail and YouTube, whether it would be used for product development or advertising or research. Google refused to give specific retention periods to CNIL, but the investigation found that the scope of data gathering was pretty broad and the information was kept for quite a while.

"The mere consultation of a website including a ‘+1' button is recorded and kept during at least 18 months and can be associated with the uses of Google's services," they said. "Data collected with the DoubleClick cookie are associated to a identifying number valid during two years and renewable."

Several of the recommendations are also backed by members of the Asia Pacific Privacy Authorities and Canada's federal privacy commissioner has similar concerns about Google, they added.

The web behemoth seems incapable of turning around these days without running into another regulatory probe. Google has just finished with a Federal Trade Commission case over ignoring do-no-track in Safari browsers, the EU is in the middle of an antitrust case that's analysing whether the firm uses its search advertising to favour its own services over competitors and that whole Street View data slurp stuff just goes on and on.

The UK ICO for its part had this to say in a statement supplied to the Reg:

We await Google's response which will be considered by the Commission Nationale de l'information et des liberties (CNIL), on behalf of the ICO and the other European data protection regulators. A decision will then be made on whether further action is required.

®

Secure remote control for conventional and virtual desktops

More from The Register

next story
Britain's housing crisis: What are we going to do about it?
Rent control: Better than bombs at destroying housing
Top beak: UK privacy law may be reconsidered because of social media
Rise of Twitter etc creates 'enormous challenges'
Ex US cybersecurity czar guilty in child sex abuse website case
Health and Human Services IT security chief headed online to share vile images
Uber, Lyft and cutting corners: The true face of the Sharing Economy
Casual labour and tired ideas = not really web-tastic
We need less U.S. in our WWW – Euro digital chief Steelie Neelie
EC moves to shift status quo at Internet Governance Forum
Oz biz regulator discovers shared servers in EPIC FACEPALM
'Not aware' that one IP can hold more than one Website
Apple tried to get a ban on Galaxy, judge said: NO, NO, NO
Judge Koh refuses Samsung ban for the third time
prev story

Whitepapers

5 things you didn’t know about cloud backup
IT departments are embracing cloud backup, but there’s a lot you need to know before choosing a service provider. Learn all the critical things you need to know.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Backing up Big Data
Solving backup challenges and “protect everything from everywhere,” as we move into the era of big data management and the adoption of BYOD.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?