European privacy authorities ask Google to tweak March policy change

But they set no firm deadline for making the changes, nor threatened firm action if it does not respond

European privacy authorities have asked Google to tweak the unified privacy policy it introduced on March 1, but have stopped short of asking it to undo all its changes. They set no firm deadline for Google to make the tweaks, and will leave it to national data protection authorities to decide whether to take regulatory or legal action..

Google should provide users with more information about its policies, stop combining information from different sources when it is not legally justified, and guarantee to delete personal data after set periods, the authorities told Google on Tuesday in a formal letter to CEO Larry Page signed by the members of the Article 29 Working Party (A29WP), which brings together data protection authorities from across the European Union.

In February, the authorities wrote to Google asking it to delay introduction of the policy, warning that it appeared to breach European privacy laws. Google refused, prompting the A29WP to ask the French National Commission on Computing and Liberty (CNIL) to conduct a full investigation.

"I regret that Google did not want to wait. It would have been much better otherwise for the privacy of hundreds of millions of users of Google's services," said Jacob Kohnstamm , chairman of the A29WP and also head of the Dutch data protection authority, at a news conference in Paris.

Google didn't cooperate fully with the investigation, said CNIL president Isabelle Falque-Pierrotin. Despite being sent detailed questionnaires about its policies, it replied with examples and not precise statements.

In the March policy changes, Google combined many different privacy policies in one, and said it may use information from many different sources to modify the behavior of any its services.

European privacy law allows such combination of data in certain cases, including where the user requests it, for security, for the provision of a Google account and for academic research.

However, there are four cases in which explicit consent is required from the service user, said Falque-Pierrotin, including product development, advertising and analytics. Google should seek that consent from its users before combining data to those ends, and also provide them with a way to opt out, Falque-Pierrotin said.

The company should also explain more clearly what data it stores, and for how long, she said.

The members of the A29WP only sent their letter to Page on Tuesday, but they had already presented their recommendations to Google on Sept. 19, she said.

Those recommendations include ensuring that it complies with Article 5(3) of the European ePrivacy Directive, the so-called Cookie Directive; rolling out to all countries the version of Google Analytics designed to meet German privacy laws, and simplifying opt-out procedures and making them all accessible from a single page.

Even for users not logged in to a Google service, there are four different places they must opt out of Google advertising data collection, said Gwendal Le Grand, head of CNIL's technical advisory team. "If you want to opt out today, it's very long and it's not easy to find how to do it.

Although the members of the A29WP set no firm deadline for Google to take action, Falque-Pierrotin said she expected Google to make a commitment to change its policy within three or four months. If it did not, then she expected that a number of national data protection authorities would take action.

The financial sanctions that Google faces are tiny. In a recent case involving the illegal collection of Wi-Fi data by Google's Street View cars, CNIL fined the company ¬100,000 (US$129,000). Google reported a net profit of $2.79 billion for the second quarter, on revenue of $12.21 billion.

"It's not the size of the fine that's important," said Falque-Pierrotin. She is counting on the bad publicity that will result if Google does not change its ways.

The A29WP's action had also received the support of data protection authorities in other countries, including Australia, Canada, Mexico and Hong Kong.

Things are a little different in the U.S., said Kohnstamm: the Federal Trade Commission there is already taking its own action against Google.

However, he said, he expects the concerted action of all the other data protection authorities to send a clear message to Google -- and to other big Internet companies -- that they are serious in their demands, and that privacy protection is something on which companies can compete to win customers.

Peter Sayer covers open source software, European intellectual property legislation and general technology breaking news for IDG News Service. Send comments and news tips to Peter at

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Peter Sayer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts