Google must change privacy policy demand EU watchdogs

European data protection regulators have demanded Google change its privacy policy, though the French-led team did not conclude that the search giant's actions amounted to something illegal. The investigation, by the Commission Nationale de l'Informatique (CNIL), argued that Google's decision to condense the privacy policies of over sixty products into a single agreement – and at the same time increase the amount of inter-service data sharing – could leave users unclear as to how different types of information (as varied as search terms, credit card details, or phone numbers) could be used by the company.

"The Privacy Policy makes no difference in terms of processing between the innocuous content of search query and the credit card number or the telephone communications of the user" the CNIL points out, "all these data can be used equally for all the purposes in the Policy." That some web users merely interact passively with Google products, such as adverts, also comes in for heightened attention, with those users getting no explanation at all as to how their actions might be tracked or stored.

"EU Data protection authorities ask Google to provide clearer and more comprehensive information about the collected data and purposes of each of its personal data processing operations. For instance, EU Data protection authorities recommend the implementation of a presentation with three levels of detail to ensure that information complies with the requirements laid down in the Directive and does not degrade the users' experience. The ergonomics of the Policy could also be improved with interactive presentations" CNIL

In a letter to Google [pdf link] – signed by the CNIL and other authorities from across Europe – the concerns are laid out in full, together with some suggestions as to how they can be addressed. For instance, the search company could "develop interactive presentations that allow users to navigate easily through the content of the policies" and "provide additional and precise information about data that have a significant impact on users (location, credit card data, unique device identifiers, telephony, biometrics)."

Ironically, one of Google's arguments for initially changing its policy system was that a single, harmonized agreement would be easier for users to read through and understand. It also insisted that the data-sharing aspects were little changed from before.

"The CNIL, all the authorities among the Working Party and data protection authorities from other regions of the world expect Google to take effective and public measures to comply quickly and commit itself to the implementation of these recommendations" the commission concluded. Google has a 3-4 month period to enact the changes requested, or it could face the threat of sanctions.

"We have received the report and are reviewing it now" Peter Fleischer, Google's global privacy counsel, told TechCrunch. "Our new privacy policy demonstrates our long-standing commitment to protecting our users' information and creating great products. We are confident that our privacy notices respect European law."