Gov't regulators slam Google's privacy efforts

Privacy commissioners from 10 companies threaten to take action against privacy violations

Google and other online companies need to stop "willfully" disregarding privacy laws in many countries when rolling out new products or privacy policies, or they may face fines and other sanctions, data protection commissioners from 10 countries said Tuesday.

The government regulators, from Canada, France, Germany and other countries, focused their warnings on Google and the launch of its Buzz social networking service in February. The 10 data protection regulators sent a letter to Google CEO Eric Schmidt, saying the launch of Buzz came with a "disappointing disregard for fundamental privacy norms and laws."

Internet-based companies should see the letter as a final warning before data protection regulators begin to take action against violations of privacy law, said Jacob Kohnstamm, chairman of the College Bescherming Persoonsgegevens in the Netherlands. "We won't hesitate to use our powers to enforce the fundamental right to privacy, if and when this last warning seems to be ignored," he said at a press conference.

The letter sent to Google represents the first time so many data protection regulators have worked together to attempt to enforce privacy rules, said Jennifer Stoddart, privacy commissioner of Canada. Internet users and companies should expect more joint actions, she added.

In the original public version of Buzz, launched in February, the program compiled a list of the Gmail contacts the users most frequently e-mailed or chatted with and automatically started following those people. Those lists were made public, giving strangers access to the contacts of Buzz users.

There were a flurry of complaints from Gmail users, and Google made changes to Buzz within a couple of days. Google officials said they tested Buzz on employees, but outside users reacted much differently to the default settings.

A Google spokesman said the company has launched several privacy tools in recent months, including Google Dashboard and Ads Preferences Manager, to give users control over their data.

"We try very hard to be up front about the data we collect, and how we use it, as well as to build meaningful controls into our products," he said. "Of course we do not get everything 100 percent right -- that is why we acted so quickly on Buzz following the user feedback we received. We have discussed all these issues publicly many times before and have nothing to add to today's letter -- instead we are focused on launching our new transparency tool which we are very excited about."

Google on Tuesday announced it was launching a government transparency tool that shows users what types of user information governments are requesting from Google. Eight of the 10 countries that sent the privacy letter to Google made at least 30 requests for Google to release information about individual users in the second half of 2009.

The U.K., which signed on to the privacy letter, made more than 1,150 requests for information on Google users during the six-month period. France, Italy and Germany each made more than 450 requests for information about Google users during that time period.

Still, the privacy commissioners said Google's launch of Buzz and some other products has lacked an appropriate focus on privacy.

"It is unacceptable to roll out a product that unilaterally renders personal information public, with the intention of repairing problems later as they arise. Privacy cannot be sidelined in the rush to introduce new technologies to online audiences around the world," the letter said.

Google has also "ignored" privacy concerns when it rolled out its Street View product and other products, said Artemi Rallo Lombarte, director of Agencia Española de Protección de Datos in Spain. Internet companies need to stop the "habitual" launch of products before they fully consider the privacy implications, he said.

While Google was the target of the letter, Lombarte and other privacy commissioners said they had similar concerns about other Internet companies. Facebook's recent changes to its privacy policy and its aborted Beacon targeted advertising service also raised questions about privacy, he said.

"Many of these companies publicly say they're committed to privacy rights ... but this appears to be a marketing strategy rather than a true and real commitment," Lombarte said.

The group of privacy commissioners called on Google and other online companies to collect the minimum amount of information necessary, to provide privacy control settings that are easy to use and to allow users to easily delete their accounts.

Join the CSO newsletter!

Error: Please check your email address.

Tags Googleprivacy

More about FacebookGoogle

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Grant Gross

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place