Google's new privacy policy, effective from Thursday 1 March 2012, has attracted much media attention and proved controversial at many levels. Google is not changing what data is collected by its various services; it is changing its practices for using this data, which is reflected in a new privacy policy. Previously, when a Google account holder logged into any one Google service, all the data obtained from that user on that service was kept separate from other Google services used. As a result of the recent Google use policy changes, any data about an account user gathered on any Google service is now collated with data collected about that user across all other services to create a full profile. All services are now governed by one all encompassing privacy policy rather than by numerous individual policies. The search giant claims that this "better customises" its service and offers a seamless user experience. Such a broad collection of data makes it easier for advertisements to be tailored to the specific interests of the account holder.
Google offers a wide range of services including the following:
Google search, Maps, YouTube, Gmail, Google Earth, Reader, Mobile,
Chrome and Reader.
Google announced its new privacy policy on 24 January 2012 and this
sparked initial concern from the Article 29 Working Party. The
Article 29 Working Party was set up under the EU Data Protection
Directive (95/46/EC) to act as an independent European advisory
body on data protection and privacy issues. The Working Party's
concern was to verify whether and how this new policy would comply
with the European Directive on Data Protection. The Working Party
requested that Google pause before introducing this new policy and
appointed the French data protection authority CNIL to lead an
investigation into the policy's compliance. Google refused to
pause and confirmed that the policy would be introduced on 1 March
2012.
CNIL's preliminary analysis of the policy raised concerns that
it might indeed not comply with the EU Directive for the following
reasons: The general information provided by the policy did not
satisfy Articles 10 and 11 which require a purpose-specific wording
to ensure transparency for account users. Currently it is difficult
for users to know exactly which data is being combined between
which services and for what purposes, which raises doubts about the
lawfulness and fairness of processing and thus compliance with
Articles 6 and 7. Additionally, Article 5 of the E-Privacy
Directive requires a search engine to obtain user consent for the
use of cookies to obtain data, Google uses cookies (as well as
other tools) to obtain data and it is not clear how they intend
that the new policy will comply with the principle of specific
consent in Article 5(3).
CNIL also explained its concern that Google did not take a real
opportunity to consult the authorities prior to the announcement of
the policy. Not all authorities were informed, and those that were
only heard about the changes a matter of days prior to the
announcement which the CNIL observes prevented constructive
feedback. It should be noted that although Google did contact
account users in the UK prior to the changes, a recent survey run
by Big Brother Watch (a British privacy advocate) shows that only
12% of Google service users have read the policy and 47% of those
surveyed were unaware of the new privacy policy.
What does the new policy mean for someone using any of these
services? Whenever an account holder uses a Google service they are
leaving personal data that will be amalgamated with data obtained
from other services they have used, giving Google a fuller picture
of their interests, location, music preferences, shopping needs,
friends etc. A Google account user cannot opt out of the privacy
policy itself unless they stop using Google services. It is however
possible for users to opt out partially from at least the data
combination and preference advertising by:
- disabling Web History. This will not prevent Google from gathering and storing data and using it for internal purposes. It does however prevent the information gathered from a user's searches being combined with data from other services and means that it will be made partially anonymous after 18 months.
- using Google Dashboard to edit advertisement preferences. Using the Ads Preference Manager a user can either choose which type of adverts they receive by selecting categories, or can click 'opt out' to prevent tailored adverts altogether. This opt out does not stop or reduce the adverts a user will be exposed to it simply ensures that adverts are not customised. Importantly this 'opt out' does not stop the amalgamation of data across Google's services or stop information being stored.
- logging out. An account user can log out of their account and then use the Google services to avoid being tracked or use separate accounts for different services. This however makes for a clumsy, less user friendly service.
- blocking cookies. By blocking cookies the user will not leave a data trail; this may cause problems in using the services.
Even if users take the measures listed above Google can release
that personal data to external bodies in certain circumstances
which are listed in the policy itself. For example, Google can
release a user's data when it 'is reasonably necessary to
meet any applicable law, regulation, legal process or enforceable
governmental request'.
It is worth noting that Google services are free for users because
they are paid for by advertisements. An important objective of the
recent changes in Google's privacy policy is for Google to sell
advertising and more effectively leverage its power in the
information gathering area into selling power in the advertising
market.
Users and user groups are concerned at the data map the company
will have, describing, analysing and identifying them in
considerable detail despite Google's claims that the new
process streamlines and simplifies its privacy policies. CNIL flags
that this simplification is welcome but should not be done at the
expense of transparency and comprehensiveness for users. CNIL's
investigation into the policy continues.
This article was written for Law-Now, CMS Cameron McKenna's free online information service. To register for Law-Now, please go to www.law-now.com/law-now/mondaq
Law-Now information is for general purposes and guidance only. The information and opinions expressed in all Law-Now articles are not necessarily comprehensive and do not purport to give professional or legal advice. All Law-Now information relates to circumstances prevailing at the date of its original publication and may not have been updated to reflect subsequent developments.
The original publication date for this article was 05/03/2012.