Google under pressure to change privacy policy

Google’s new privacy policy may be in breach of EU law according to 30 European data protection commissioners.

The EU has sent a public letter to Google saying its new privacy policy could be collecting too much data on users and holding that data for too long. Regulators say it’s unlcear what Google new privacy policy even is and that it fails to take user privacy seriously at all.

“Google’s answers have not demonstrated that your company endorses the key data protection principles of purpose limitation, data quality, data minimization, proportionality and right to object,” reads the letter. “Indeed, the Privacy policy suggests the absence of any limit concerning the scope of the collection and the potential uses of the personal data. We challenge you to commit publicly to these principles.”

With great power…

The commissioners pointed specifically to Google’s storing of cookies and data for between 18 months and two years as possibly being in breach of data protection laws. The French data protection authority – CNIL - has now requested Google provide users with more detailed control over their personal data. This involves splitting up data controls between different Google services, such as Gmail, YouTube and Google+, rather than lumping them all in together, which is exactly what Google’s new privacy policy – introduced in March – set out to achieve.

The EU paints a worrying picture of Google’s increasing access to personal data from across numerous services. According to the CNIL, visits to sites that display a ‘1+’ Google+ button will be stored for at least 18 months, while data collected via DoubleClick ad cookies is stored for two years and can be renewed without consent. The EU said such power and control over user data must be used responsibly.

Google retaliates

Yesterday Google co-founder Larry Page went on the offensive, rebutting the EU’s claims. Page said it was “sad” that regulators are trying to restrict types of online data collection and that certain Google products would not have been possible with data collection. The co-founder used the example of a potential Android feature that could prevent your phone from interrupting you during a scheduled meeting.

“That’s almost a trivial thing to know,” said Page. “But for us, solving that problem requires changing our privacy policy, which we’ve now done,” he said. “And now you’ll see those kinds of things roll out.”

But according to a New York Times source, Google execs “breathed a sigh of relief” at the EU response, as it expected the regulators to implement a much harsher penalty, such as fines and concrete charges that Google broke the law. As it stands the EU is giving Google a loose timeframe of 4 months to change its policy and explain more clearly what exactly it does with the data it collects.

“Google bought some time,” said Mark Rotenberg, president of the Electronic Privacy Information Center, adding that the message from European authorities was: “We’ve been through this before, with companies like Facebook, and they responded. If you choose not to respond, you do so at your own risk.”

No stranger…

Of course, Google is no stranger to breaking the law and violating user privacy. As we outlined a couple of months ago, Google has consistently shown complete disregard for user privacy, to the point where it even lied to the FTC about data collection via StreetView, earning itself the biggest fine the regulator has ever imposed. While the EU has made strong criticisms of Google new privacy policy, much of the requests outlined by the CNIL are posed as requests, rather than orders. Such requests are likely to be ignored, or fought against, if we take Google’s past behaviour into account. But as data protection lawyer Marc Dautlich told The Guardian, Google may be playing with fire.

“If Google’s get-out is that it’s only being told ‘should’ rather than ‘must’, then it becomes a question of trust,” said Dautlich. “How does a company purport to be transparent and trusted if they’re put to the test and use a legal nicety to avoid it?”

 Google is not invulnerable. The more a company proves itself untrustworthy, the more dangerous the PR fallout when things eventually go wrong.

Comments icon
We invite you to discuss this post in our Reddit community or on Twitter. You can also send your feedback to
Tags: Privacy

Most people don't need a commercial VPN to work from home securely

Posted on April 7, 2020 by Nick Pestell

Many small businesses and their employees are concerned about the security of their data whilst working from home during the coronavirus pandemic. We see a lot of confusion surrounding this topic, even from fairly technical folk and there is unfortunately a lot of misinformation being spread by commercial VPN providers themselves.

You can't always get what you want: the eternal conflict between lawful access and privacy

Posted on April 19, 2018 by mirimir

In late March, the US Clarifying Lawful Overseas Use of Data Act (CLOUD Act) took effect. And predictably, the US Supreme Court just dismissed United States v. Microsoft Corp. In that case, Microsoft was fighting a subpoena for data stored in an Irish data center.

Protect yourself today and get peace of mind

Shut out hackers, identity thieves and the global government surveillance apparatus — every time you go online.