European Criticism for Google's New Privacy Policy

Google's new cross-service privacy policy is supposed to come into effect on March 1.  The US Federal Trade Commission has already expressed concerns, and now European data protection authorities have weighed in with the assertion that a "preliminary analysis" indicates that the policy does not satisfy national laws based on the EU Data Protection Directive.  

With implementation of the EU ePrivacy Directive amendments this year and a draft EU Regulation slated to replace the Data Protection Directive, the global environment for online privacy will only become more demanding.  The trend is toward more informative and granular privacy policies, with more conspicuous privacy options for Internet and mobile users.  Service providers should take this trend into account in planning and updating their online privacy practices, if they want to reach a global audience without running head on into global compliance problems.

Google recently announced a new privacy policy that would replace some 70 separate policies covering its diverse services, from Gmail, YouTube, and Blogger to its Chrome browser, Google Docs, and Google Maps.  Unless users exercise certain opt-out choices, Google will collect data about their use of the various Google services to create comprehensive profiles and follow the users' activities across multiple online and mobile services.  This will allow Google to personalize services and search results -- and serve up more personalized (and higher-value) advertising.  The new policy is more detailed than most of the existing Google privacy policies and has the advantage of informing users about Google's practices and options in a single place.

Privacy advocates in the United States and the United Kingdom have called for government investigations of the planned cross-matching of online behavioral data, and the chairman of the US Federal Trade Commission expressed concern over what he termed the "binary," "somewhat brutal choice" offered by Google to accept or decline all such profiling.

Yesterday, the president of CNIL, the French data protection authority, issued an open letter to Google's CEO announcing a further investigation and the initial conclusion that the new privacy practices would not conform to European data privacy laws:

. . . our preliminary analysis shows that Google's new policy does not meet the requirements of the European Directive on Data Protection (95/46/CE), especially regarding the information provided to data subjects.

This represents more than a French reaction to Google's announced plans.  CNIL has been designated to take the lead in investigating Google's new approach on behalf of the Article 29 Working Party, the permanent advisory body that is comprised of representatives of all the national data protection authorities and the European Commission.  A preliminary conclusion of noncompliance by the very bodies that enforce the data protection laws seriously raises the risks of proceeding with the new plan to create cross-service user profiles subject to the proposed privacy policy.

The EU data protection authorities are concerned that the new privacy policy does not adequately disclose what would be done with the data and who would have access to it, as required by Articles 10 and 11 of the Directive.  More fundamentally, the Directive requires "fair processing" of personal information that is proportionate in light of the lawful, announced purposes of processing (see Articles 6 and 7).  The European authorities question whether Google has demonstrated sufficient justification to create such comprehensive and potentially intrusive profiles of online behavior.  Enhanced advertising capabilities may not be persuasive on their own.  Google will probably have to demonstrate how the new approach could improve the user experience and offer benefits that users should be allowed to choose in exchange for allowing Google to track their online behavior.  Meanwhile, CNIL, on behalf of the European privacy authorities, asks Google to delay introducing the new privacy practices and policy.

These issues are not limited to Google, of course, and the environment for online profiling is only becoming stricter.  As I reported last week, the draft EU Data Protection Regulation, which would replace the framework Directive with a more uniform European legal instrument to protect data privacy, would assert jurisdiction over online service providers that targeted European consumers or monitored their behavior, even if they did so entirely from servers located outside the EU.  And the new, so-called "Cookies Rules" implementing amendments to the EU ePrivacy Directive generally require conspicuous notices and opt-in consent at each point where an online retailer or service provider collects information from or about an individual.  In many cases, these rules will not be satisfied by a single posted privacy policy but may require pop-ups with notices and links at many points in the online experience, which will be challenging to effect (and possibly annoying to users).  There are many unanswered questions about how these requirements can be satisfied -- including concerns about third-party data collection by services such as Google Analytics that many commercial website operators rely on to fine-tune their online offerings.

Once again, the technologically possible (and commercially attractive) seems to have outpaced social and legal consensus.   Google's treatment of user data is on a scale matched by few, but online enterprises of all sizes will be watching to see how Google fares in the face of official and public reservations.  

One conclusion is easy:  the watchword for anyone offering products or services online should be "transparency."  This concept appears repeatedly in the CNIL letter and also in the White House Consumer Privacy Bill of Rights released last week.  Enterprises need to say, perhaps in greater detail than before, what they are doing with user data, and they also need to explain why it is good for consumers.  As we move toward more of an opt-in approach to personal data collection and especially behavioral profiling, users will need to be persuaded of its value.