Feeds

EU data bosses order Google to sort out privacy

Gmail, YouTube, Google+, search - they all know you

The Power of One Infographic

EU data regulators have told Google that it has to make changes to its new privacy policy due to "incomplete information and uncontrolled combination of data across services".

The regulators, led by France's Commission Nationale de l'Informatique (CNIL), have spent several months investigating the policy, which basically allows Google to mash up all its previous 60 policies into one document and grab data on folks from across their services.

The data authorities said today in a CNIL announcement that Google needed to make the new terms of their over-arching policy clearer for users and give those users an opt-out option for each product so they can stop information being taken from one to the other.

A letter has been sent to the search giant outlining the changes that are wanted, signed by 27 out of the 29 countries' regulators involved. But although the EU is asking for alterations to the policy, it has not yet fined or threatened to fine the firm or accused it of breaking the law.

Google's Peter Fleischer, global privacy counsel, said that it was reviewing the findings.

"Our new privacy policy demonstrates our long-standing commitment to protecting our users’ information and creating great products," he said. "We are confident that our privacy notices respect European law."

CNIL, which has been an avid critic of the new policy, headed up the probe for Europe's G29 countries and questioned Mountain View twice about the changes, but said the firm did not give "satisfactory answers" to its concerns.

Nevertheless, by analysing all the documents and mechanisms of the new policy, the data protection authorities decided that the web giant did not do enough to protect people's privacy.

"It is not possible to ascertain from the analysis that Google respects the key data protection principles of purpose limitation, data quality, data minimisation, proportionality and right to object." they said. "Indeed, the privacy policy suggests the absence of any limit concerning the scope of the collection and the potential uses of the personal data."

Google users can't figure out what categories of their personal information are being snaffled by the firm and what purpose that data is used for under the current policy, the regulators said, claiming that the policy made no distinction between the results of a search query and a credit card number.

The authorities also said that users had no control over the combination of their data across Google products like Gmail and YouTube, whether it would be used for product development or advertising or research. Google refused to give specific retention periods to CNIL, but the investigation found that the scope of data gathering was pretty broad and the information was kept for quite a while.

"The mere consultation of a website including a ‘+1' button is recorded and kept during at least 18 months and can be associated with the uses of Google's services," they said. "Data collected with the DoubleClick cookie are associated to a identifying number valid during two years and renewable."

Several of the recommendations are also backed by members of the Asia Pacific Privacy Authorities and Canada's federal privacy commissioner has similar concerns about Google, they added.

The web behemoth seems incapable of turning around these days without running into another regulatory probe. Google has just finished with a Federal Trade Commission case over ignoring do-no-track in Safari browsers, the EU is in the middle of an antitrust case that's analysing whether the firm uses its search advertising to favour its own services over competitors and that whole Street View data slurp stuff just goes on and on.

The UK ICO for its part had this to say in a statement supplied to the Reg:

We await Google's response which will be considered by the Commission Nationale de l'information et des liberties (CNIL), on behalf of the ICO and the other European data protection regulators. A decision will then be made on whether further action is required.

®

Boost IT visibility and business value

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
UK government officially adopts Open Document Format
Microsoft insurgency fails, earns snarky remark from UK digital services head
Major problems beset UK ISP filth filters: But it's OK, nobody uses them
It's almost as though pr0n was actually rather popular
HP, Microsoft prove it again: Big Business doesn't create jobs
SMEs get lip service - what they need is dinner at the Club
ITC: Seagate and LSI can infringe Realtek patents because Realtek isn't in the US
Land of the (get off scot) free, when it's a foreign owner
MPs wave through Blighty's 'EMERGENCY' surveillance laws
Only 49 politcos voted against DRIP bill
Help yourself to anyone's photos FOR FREE, suggests UK.gov
Copyright law reforms will keep m'learned friends busy
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.