CNIL Conclusions on Google’s privacy policy

Just a few days ago, the European authorities on Google’s respect of the European Directive on Privacy published their conclusion.  Basically they indicated that Google failed respecting essential principles of the Directive as  limiting the usage of the personal data, minimising the requested personal data and the right to object.

  • There is not enough information on the nature and usage of the collected data,
  • The way users can control their level of privacy is too complicated,
  • The data collected is not minimized for the purpose.
  • The retention periods are not specified.

As the CNIL  puts it: is not possible to ascertain from the analysis that Google respects the key data protection principles of purpose limitation, data quality, data minimization, proportionality and right to object.[…]

Under the current Policy, a Google service’s user is unable to determine which categories of personal data are processed for this service, and the exact purposes for which these data are processed.

E.g.: the Privacy Policy makes no difference in terms of processing between the innocuous content of search query and the credit card number or the telephone communications of the user ; all these data can be used equally for all the purposes in the Policy.

Moreover, passive users (i.e. those that interact with some of Google’s services like advertising or ‘+1′ buttons on third-party websites) have no information at all.

On the combination of data accross services, the change Google just did, the CNIL says:

Combination of data across services has been generalized with the new Privacy Policy: in practice, any online activity related to Google (use of its services, of its system Android or consultation of third-party websites using Google’s services) can be gathered and combined.

The European DPAs note that this combination pursues different purposes such as the provision of a service requested by the user, product development, security, advertising, the creation of the Google account or academic research. The investigation also showed that the combination of data is extremely broad in terms of scope and age of the data.

E.g.: the mere consultation of a website including a ‘+1′ button is recorded and kept during at least 18 months and can be associated with the uses of Google’s services; data collected with the DoubleClick cookie are associated to a identifying number valid during 2 years and renewable

Here are the recommentadions they made to Google to tackle the combined data accross services:

  • reinforce users’ consent to the combination of data for the purposes of service improvements, development of new services, advertising and analytics. This could be realized by giving users the opportunity to choose when their data are combined, for instance with dedicated buttons in the services’ (cf. button “Search Plus Your World”),
  • offer an improved control over the combination of data by simplifying and centralizing the right to object (opt-out) and by allowing users to choose for which service their data are combined
  • adapt the tools used by Google for the combination of data so that it remains limited to the authorized purposes, e.g. by differentiating the tools used for security and those used for advertising.

But there is a good news for us citizens from this issue:

This letter [a letter to Google with the recommendations of the EU Data protection authorities] is individually signed by 27 European Data protection authorities for the first time and it is a significant step forward in the mobilization of European authorities.

Let’s hope next Google’s Data Privacy Policy will be soon here to adopt.


Print Friendly, PDF & Email