How Google lost the trust of Europe’s data protection authorities

The days of teensy fines may be over for Mountain View

Secure remote control for conventional and virtual desktops

Application of the Reagan doctrine

Even with its own privacy pronouncements, Google has been accused of being “economical with the truth”. For instance, what Google told the Information Commissioner in July 2011 was that the Wi-Fi data collection by its StreetView Camera cars was accidental.

By contrast, a Federal Communications Commission (FCC) report into the same problem made it clear that Google intentionally intercepted such Wi-Fi data for business purposes and that many supervisors and engineers within the company reviewed the code and the design documents associated with the interception. That is why the Federal Communications Commission imposed a $25,000 fine in April 2012.

However, I think the most damaging conclusion was that Google impeded the FCC investigation by “delaying its search for and production of responsive emails and other communications, by failing to identify employees, and by withholding verification of the completeness and accuracy of its submissions”.

So when Google says something about privacy, how do we know that it is kosher? That is why European data protection commissioners are pushing their equivalent of the “Reagan doctrine” at every turn: “Trust but verify”.

So when Google last year changed its Privacy Policy, many data protection commissioners wanted answers to certain questions and the CNIL (the French Data Protection Authority) was given the lead co-ordinating role. All European Commissioners signed a letter containing a number of queries on 26 October 2012 expressing their concerns asking Google to comply with their recommendations within four months. Google’s response was of the two-fingered variety.

The CNIL’s concerns (still unaddressed) were that Google:

  • did not provide retention periods and has refused to provide retention periods;
  • has not provided sufficient information about its personal data processing;
  • should reinforce users' consent offer an improved control over the combination of data by simplifying and centralising the right to object (opt out);
  • should allow users to choose for which service their data are combined;
  • should adapt the tools that its various data combinations remain limited to the authorised purposes, eg, by differentiating the tools used for security and those used for advertising; and
  • should avoid an excessive collection of data.

So what’s wrong with Google’s privacy policy?

At the heart of Google’s problems, is its privacy policy, and it is quite easy to see why there are issues. For example, just compare one basic definition:

Google definition of “Personal information”. This is “information which you provide to us which personally identifies you, such as your name, email address or billing information, or other data which can be reasonably linked to such information by Google".

UK Act definition of “personal data”. This "means data which relate to a living individual who can be identified: (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller…”

Now suppose Google has collected an IP address. To satisfy its definition of personal information, that IP address requires identification of an individual from “other data which can be reasonably linked to such information by Google”. By contrast, the Data Protection Act requires merely that the identification information to be “in the possession” of Google (ie, there is no requirement to “reasonably link” the identifying information with the IP address as per the Google definition).

Note also that the UK definition merely requires the identification information to be “likely to come into the possession” of Google. By contrast again Google’s definition needs the data to be under Google’s control and an actual linkage to the specific individual.

It now can be seen, that the Google definition is far narrower than the 1998 Data Protection Act. How then does the UK’s Information Commissioner know that Google has complied with that Act, if Google does not provide the details such as those requested by the CNIL?

In practice, I think the Google definition is very close to that found in the Data Protection Act 1984 repealed by the 1998 Act (this required the processing of personal data had to be “by reference to the data subject”). In my view, the definition that Google uses in its Privacy Policy is nearly three decades out of date.

Finally there are questions of the scope of Google’s Privacy Policy. Its website says that it applies to “Information that you give us (for example"; “many of our services require you to sign up for a Google Account”); or “Information that we get from your use of our services” (for example, when you visit a website that uses our advertising services”). There is no reference to personal information obtained by Google from other sources or from the public domain; so the status of such personal information is unclear.

You can see now that Google’s Privacy Policy does indeed raise several legitimate questions as to what it means in the context of data protection legislation which uses different definitions. I think most responsible companies would answer these questions; failure to answer them merely serves to raise suspicion.

The “Starbucks effect” (and the Boston Tea Party)

The press report that Google employs more than 1,300 people in London and Manchester, generates £2.5bn of UK sales and pays corporation tax of £6m or so. This latter figure implies its UK profits are of the order £30m per year.

This crude analysis shows that Google is, in effect, another “Starbucks”. It generates hundreds of millions of pounds of revenues in the UK and pays disproportionately little Corporation Tax. Of course Google pay VAT and their UK employees their PAYE, but in general the public can now categorise Google as another large organisation evading their fair share of tax. The prime minister’s dictum that “we are all in this together” clearly excludes Google from the “we”.

It follows that when Google take the high moral ground in support for notions of freedom of speech, this does not extend to the facts that allow such speech to be informed in the context of its own tax affairs. In summary, any future public pronouncement by Google about “freedom” should be accompanied with a great deal of cynicism.

Then there is the unprecedented lobbying from USA companies like Google concerning the content of the Data Protection Regulation. The idea that corporate America can employ its financial muscle to influence Europe’s Parliamentary processes and laws should make everyone feel very uneasy. What do you think would happen if Europe’s corporate giants started lobbying the USA Senate about gun control or abortion or taxation? They would quickly be told where to go.

Indeed, Google’s involvement presents a historical curiosity. In 1773, the cry at the Boston Tea Party was: "No taxation without representation".

Google’s version of this is: “Full representation without taxation".


CNIL’s Google links

This story originally appeared at HAWKTALK, the blog of Amberhawk Training Ltd.

Internet Security Threat Report 2014

More from The Register

next story
Phones 4u slips into administration after EE cuts ties with Brit mobe retailer
More than 5,500 jobs could be axed if rescue mission fails
Driving with an Apple Watch could land you with a £100 FINE
Bad news for tech-addicted fanbois behind the wheel
Phones 4u website DIES as wounded mobe retailer struggles to stay above water
Founder blames 'ruthless network partners' for implosion
Radio hams can encrypt, in emergencies, says Ofcom
Consultation promises new spectrum and hints at relaxed licence conditions
Special pleading against mass surveillance won't help anyone
Protecting journalists alone won't protect their sources
Big Content Australia just blew a big hole in its credibility
AHEDA's research on average content prices did not expose methodology, so appears less than rigourous
Vodafone to buy 140 Phones 4u stores from stricken retailer
887 jobs 'preserved' in the process, says administrator PwC
prev story


Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.