EU Gives Google a Privacy To-Do List
The EU is more prickly about privacy than the U.S., but its concerns about Google's global policy may be justified. "With such an arsenal of information, Google and its marketing partners will likely know more about the user's interests and proclivities than the user herself, or the user's psychologist, could ever know or ascertain," observed Brooklyn Law professor Jonathan Askin.
The move comes on the heels of rumors that the Federal Trade Commission is about to launch an antitrust suit against the company.
Critics argue that it allows Google to collect more information about consumers as they use the various services in Google's empire -- and then aggregate that customer data to create a more-informed picture of the user.
After Google announced its plans to implement the change, the EU Data Protection authorities went to work: The French organization CNIL was tapped to probe what this change would mean to consumers.
Two successive questionnaires were sent to Google and the company replied. However, several answers were incomplete or approximate, and Google did not provide satisfactory answers on key issues such as the description of its personal data processing operations or the precise list of the 60 or more product-specific privacy policies that have been merged in the new policy, CNIL claimed.
Hence, the request that Google to provide more information about the collected data as well as the purposes of each of its operations for processing personal data.
CNIL also suggested several changes Google should make, such as presenting three levels of detail to ensure conformance with its directive. It also suggested interactive presentations.
Google should modify its practices when combining data across services, advised CNIL, by giving users the opportunity to choose when their data could be combined, to centralize the right to opt out, and to allow users to choose the services for which their data could be combined.
Google reportedly is reviewing the CNIL findings and is confident it is in compliance with European law. CNIL hints otherwise, nothing that it is not clear whether Google respects the EU's data protection principles: purpose limitation, data quality, data minimization, proportionality, and right to object.
Google and CNIL did not respond to our requests for further details.
Too Much Information vs.Too Many Policies
There is a case to be made for both sides of this argument, at least in the U.S. Clearly, Google is accumulating a lot of information about its users, Jonathan Askin, a professor at Brooklyn Law School, told the E-Commerce Times.
"With such an arsenal of information, Google and its marketing partners will likely know more about the user's interests and proclivities than the user herself, or the user's psychologist, could ever know or ascertain," he quipped.
Also, the combining of data about a user across multiple services is of understandable concern to regulators and privacy watchdogs, said Askin. "Users often use different Google services for distinct purposes, and might be willing to allow Google and its marketing partners access to user information in connection with some Google services, but not for others."
For instance, a user might be willing to allow Youtube marketing partners access to information about videos watched, said Askin, but might prefer that the same marketer not have access to, say, Gmail data.
However, what the EU is suggesting won't necessarily rectify these issues and could complicate matters more, Ryan Radia, an analyst with the Competitive Enterprise Institute, told the E-Commerce Times.
Google has become so big that it would be difficult for it to distill precisely how using product A will be combined with the user's access to Products B, C and Z, he said.
The list of potential uses will be long, complex and no doubt written in legalese, which the consumer will gloss over, predicted Radia. "I can't imagine someone reading through a list like that on a regular basis."