How Google lost the trust of Europe’s data protection authorities

Application of the Reagan doctrine

Even with its own privacy pronouncements, Google has been accused of being “economical with the truth”. For instance, what Google told the Information Commissioner in July 2011 was that the Wi-Fi data collection by its StreetView Camera cars was accidental.

By contrast, a Federal Communications Commission (FCC) report into the same problem made it clear that Google intentionally intercepted such Wi-Fi data for business purposes and that many supervisors and engineers within the company reviewed the code and the design documents associated with the interception. That is why the Federal Communications Commission imposed a $25,000 fine in April 2012.

However, I think the most damaging conclusion was that Google impeded the FCC investigation by “delaying its search for and production of responsive emails and other communications, by failing to identify employees, and by withholding verification of the completeness and accuracy of its submissions”.

So when Google says something about privacy, how do we know that it is kosher? That is why European data protection commissioners are pushing their equivalent of the “Reagan doctrine” at every turn: “Trust but verify”.

So when Google last year changed its Privacy Policy, many data protection commissioners wanted answers to certain questions and the CNIL (the French Data Protection Authority) was given the lead co-ordinating role. All European Commissioners signed a letter containing a number of queries on 26 October 2012 expressing their concerns asking Google to comply with their recommendations within four months. Google’s response was of the two-fingered variety.

The CNIL’s concerns (still unaddressed) were that Google:

• did not provide retention periods and has refused to provide retention periods;
• has not provided sufficient information about its personal data processing;
• should reinforce users' consent offer an improved control over the combination of data by simplifying and centralising the right to object (opt out);
• should allow users to choose for which service their data are combined;
• should adapt the tools that its various data combinations remain limited to the authorised purposes, eg, by differentiating the tools used for security and those used for advertising; and
• should avoid an excessive collection of data.

So what’s wrong with Google’s privacy policy?

At the heart of Google’s problems, is its privacy policy, and it is quite easy to see why there are issues. For example, just compare one basic definition:

Google definition of “Personal information”. This is “information which you provide to us which personally identifies you, such as your name, email address or billing information, or other data which can be reasonably linked to such information by Google".

UK Act definition of “personal data”. This "means data which relate to a living individual who can be identified: (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller…”

Now suppose Google has collected an IP address. To satisfy its definition of personal information, that IP address requires identification of an individual from “other data which can be reasonably linked to such information by Google”. By contrast, the Data Protection Act requires merely that the identification information to be “in the possession” of Google (ie, there is no requirement to “reasonably link” the identifying information with the IP address as per the Google definition).

Note also that the UK definition merely requires the identification information to be “likely to come into the possession” of Google. By contrast again Google’s definition needs the data to be under Google’s control and an actual linkage to the specific individual.

It now can be seen, that the Google definition is far narrower than the 1998 Data Protection Act. How then does the UK’s Information Commissioner know that Google has complied with that Act, if Google does not provide the details such as those requested by the CNIL?

In practice, I think the Google definition is very close to that found in the Data Protection Act 1984 repealed by the 1998 Act (this required the processing of personal data had to be “by reference to the data subject”). In my view, the definition that Google uses in its Privacy Policy is nearly three decades out of date.

Finally there are questions of the scope of Google’s Privacy Policy. Its website says that it applies to “Information that you give us (for example"; “many of our services require you to sign up for a Google Account”); or “Information that we get from your use of our services” (for example, when you visit a website that uses our advertising services”). There is no reference to personal information obtained by Google from other sources or from the public domain; so the status of such personal information is unclear.

You can see now that Google’s Privacy Policy does indeed raise several legitimate questions as to what it means in the context of data protection legislation which uses different definitions. I think most responsible companies would answer these questions; failure to answer them merely serves to raise suspicion.

The “Starbucks effect” (and the Boston Tea Party)

The press report that Google employs more than 1,300 people in London and Manchester, generates £2.5bn of UK sales and pays corporation tax of £6m or so. This latter figure implies its UK profits are of the order £30m per year.

This crude analysis shows that Google is, in effect, another “Starbucks”. It generates hundreds of millions of pounds of revenues in the UK and pays disproportionately little Corporation Tax. Of course Google pay VAT and their UK employees their PAYE, but in general the public can now categorise Google as another large organisation evading their fair share of tax. The prime minister’s dictum that “we are all in this together” clearly excludes Google from the “we”.

It follows that when Google take the high moral ground in support for notions of freedom of speech, this does not extend to the facts that allow such speech to be informed in the context of its own tax affairs. In summary, any future public pronouncement by Google about “freedom” should be accompanied with a great deal of cynicism.

Then there is the unprecedented lobbying from USA companies like Google concerning the content of the Data Protection Regulation. The idea that corporate America can employ its financial muscle to influence Europe’s Parliamentary processes and laws should make everyone feel very uneasy. What do you think would happen if Europe’s corporate giants started lobbying the USA Senate about gun control or abortion or taxation? They would quickly be told where to go.

Indeed, Google’s involvement presents a historical curiosity. In 1773, the cry at the Boston Tea Party was: "No taxation without representation".

Google’s version of this is: “Full representation without taxation".

References

CNIL’s Google links

• Google privacy policy: six European data protection authorities to launch coordinated and simultaneous enforcement actions
• Google's new privacy policy : incomplete information and uncontrolled combination of data across services
• Google's privacy policy : G29 ready for coordinated enforcement actions

This story originally appeared at HAWKTALK, the blog of Amberhawk Training Ltd.