The European Article 29 Working Party – composed of representatives of EU Member State data protection authorities, the European Data Protection Supervisor and the European Commission – has sent Google a letter setting out a list of compliance measures in respect of the latter’s privacy policy to enable it to meet its obligations under the EU Data Protection Directive and the domestic data protection rules of several Member States.

The letter is the latest in a series of communications with Google following investigations by a number of national agencies over Google’s decision to consolidate its privacy policies in 2012. The introduction of a single, sweeping policy has raised concerns over Google’s ability to aggregate and evaluate extensively its users’ personal data from their different Google service accounts, thereby enhancing significantly the potential for creating enriched customer profiles without properly informed consent [PeepBeep!].

The proposed compliance measures include:

• ensuring that its privacy policy is immediately visible and accessible via one click on each service landing page;
• presenting important new processing activities in its privacy policy and not in its terms of service;
• informing users of any new recipients of their personal data and how it will be used (avoiding phrases that are too vague, such as “and our partners”);
• avoiding indistinct language such as “we may …” and using, e.g., “if you used services A and B, we will …”;
• providing clear employee policies;
• adopting a multi-layered approach to the provision of its privacy notice;
• obtaining user consent prior to processing;
• providing users with tools to control the use of their data between its services; and,
• defining its data retention policies.

The Article 29 Working Party states that it remains open to discuss any other measures that Google would propose to address its legal requirements and it reserves its position to issue guidance on specific issues to the entire industry at a later point.

Alison Knight