How Google lost the trust of Europe’s data protection authorities
The days of teensy fines may be over for Mountain View
Application of the Reagan doctrine
Even with its own privacy pronouncements, Google has been accused of being “economical with the truth”. For instance, what Google told the Information Commissioner in July 2011 was that the Wi-Fi data collection by its StreetView Camera cars was accidental.
By contrast, a Federal Communications Commission (FCC) report into the same problem made it clear that Google intentionally intercepted such Wi-Fi data for business purposes and that many supervisors and engineers within the company reviewed the code and the design documents associated with the interception. That is why the Federal Communications Commission imposed a $25,000 fine in April 2012.
However, I think the most damaging conclusion was that Google impeded the FCC investigation by “delaying its search for and production of responsive emails and other communications, by failing to identify employees, and by withholding verification of the completeness and accuracy of its submissions”.
So when Google says something about privacy, how do we know that it is kosher? That is why European data protection commissioners are pushing their equivalent of the “Reagan doctrine” at every turn: “Trust but verify”.
The CNIL’s concerns (still unaddressed) were that Google:
- did not provide retention periods and has refused to provide retention periods;
- has not provided sufficient information about its personal data processing;
- should reinforce users' consent offer an improved control over the combination of data by simplifying and centralising the right to object (opt out);
- should allow users to choose for which service their data are combined;
- should adapt the tools that its various data combinations remain limited to the authorised purposes, eg, by differentiating the tools used for security and those used for advertising; and
- should avoid an excessive collection of data.
Google definition of “Personal information”. This is “information which you provide to us which personally identifies you, such as your name, email address or billing information, or other data which can be reasonably linked to such information by Google".
UK Act definition of “personal data”. This "means data which relate to a living individual who can be identified: (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller…”
Now suppose Google has collected an IP address. To satisfy its definition of personal information, that IP address requires identification of an individual from “other data which can be reasonably linked to such information by Google”. By contrast, the Data Protection Act requires merely that the identification information to be “in the possession” of Google (ie, there is no requirement to “reasonably link” the identifying information with the IP address as per the Google definition).
Note also that the UK definition merely requires the identification information to be “likely to come into the possession” of Google. By contrast again Google’s definition needs the data to be under Google’s control and an actual linkage to the specific individual.
It now can be seen, that the Google definition is far narrower than the 1998 Data Protection Act. How then does the UK’s Information Commissioner know that Google has complied with that Act, if Google does not provide the details such as those requested by the CNIL?
The “Starbucks effect” (and the Boston Tea Party)
The press report that Google employs more than 1,300 people in London and Manchester, generates £2.5bn of UK sales and pays corporation tax of £6m or so. This latter figure implies its UK profits are of the order £30m per year.
This crude analysis shows that Google is, in effect, another “Starbucks”. It generates hundreds of millions of pounds of revenues in the UK and pays disproportionately little Corporation Tax. Of course Google pay VAT and their UK employees their PAYE, but in general the public can now categorise Google as another large organisation evading their fair share of tax. The prime minister’s dictum that “we are all in this together” clearly excludes Google from the “we”.
It follows that when Google take the high moral ground in support for notions of freedom of speech, this does not extend to the facts that allow such speech to be informed in the context of its own tax affairs. In summary, any future public pronouncement by Google about “freedom” should be accompanied with a great deal of cynicism.
Then there is the unprecedented lobbying from USA companies like Google concerning the content of the Data Protection Regulation. The idea that corporate America can employ its financial muscle to influence Europe’s Parliamentary processes and laws should make everyone feel very uneasy. What do you think would happen if Europe’s corporate giants started lobbying the USA Senate about gun control or abortion or taxation? They would quickly be told where to go.
Indeed, Google’s involvement presents a historical curiosity. In 1773, the cry at the Boston Tea Party was: "No taxation without representation".
Google’s version of this is: “Full representation without taxation".
CNIL’s Google links
This story originally appeared at HAWKTALK, the blog of Amberhawk Training Ltd.
Sponsored: Today’s most dangerous security threats