‘The hits keep on rolling when you’re Google…’

As previously reported in this blog here and here, Google is rarely out of the headlines when it comes to the daily workloads of European data protection agencies (DPAs). The most recent story is the news from the UK’s Information Commissioner’s Office (ICO) that Google has signed a formal undertaking prepared by the authority, which contains commitments that bind it to implement significant changes to the UK implementation of its privacy policy and associated practices by the end of June this year.

For background, Google adopted a single privacy policy in 2012 – replacing around 70 of its pre-existing, individual policies – that permitted it to combine users’ personal data across all of its different services. The introduction of this policy raised data protection concerns across Europe over Google’s ability to aggregate and evaluate extensively its users’ personal data from their different Google service accounts, thereby enhancing significantly the potential for creating enriched customer profiles without properly informed consent [PeepBeep!].

Following an investigation, the ICO found that Google’s new policy fell short of making sufficient information available to service users in compliance with the fair processing and transparency requirements of the Data Protection Act 1998 (DPA). To close this investigation and avoid enforcement action being taken against the company, however, Google has agreed to a demand by the ICO that it will change its policy and improve its information provision on why and how it collects and uses personal data (insofar as this affects UK users of Google’s services, so that they may better understand the implications of such data being combined).

Importantly, these ‘users’ include active users (those signed into Google services) but also passive ones (those who are not so signed in, those who do not have a Google account and/or, indeed, those whose data are obtained not because they use Google services – including its search engine – but because they visit a website that subscribes to Google products such as Google Analytics). In particular, following criticism that its privacy policy was too vague, Google must give better notice to (both sets of) users about how it processes personal data gathered from its web services and products. This requirement includes the provision of more information on cookie usage by Google and clearer, more user-friendly definitions of technical terms. Google has also promised to simplify and unify general user privacy controls, as well as enhancing its internal personal data deletion policy.

The achievement of this milestone is not the end of the story by any means. According to the undertaking document, over the next two years Google must take steps to ensure further changes, such as rolling out user-group testing to ensure that any significant future changes to the privacy policy are reviewed on an on-going basis. In the meantime, the ICO has indicated that its plans to update its 2010 Privacy Notices Code of Practice later this year in order to assist online and mobile organisations operating within the UK ensure that they provide effective privacy information to their users.

Outside the UK, Google has already been investigated about its privacy policy by DPAs in other EU Member States (including France, Spain, the Netherlands, Italy and Germany). The pan-European Article 29 Working Party (WP) – whose members include representatives from the DPAs – also concluded as early as October 2012 that Google’s privacy policy infringed data protection rules. In particular, the WP views the aggregation of users’ personal data from across all their accounts and services as incompatible with data protection rules requiring clear and specific information to be set out in service providers’ privacy policies. To remedy these defects, the WP has engaged in intense dialogue with Google over a number of years, which culminated last September in its sending the company a list of compliance measures in a letter and attached Appendix, the contents of which are summarised in my earlier post. According to the ICO, in its summary of the relevant timeline, Google responded to this letter on 2 December 2014 by setting out a number of its own improvements to the WP’s suggestions aimed at further addressing the WP’s concerns; this letter does not appear to have been made public.

While UK and EU-level resolution of outstanding concerns seems achievable, therefore, all eyes will be on Google this year until at least 2018 to ensure that it follows through on its promises – with judicial sanctions and further enforcement action waiting in the wings if it does not. Google’s greatest hits keep on rolling…

Alison Knight