SlideShare une entreprise Scribd logo

Letter from the_article_29_working_party_to_google_in_relation_to_its_new_privacy_policy

Greg Sterling
Greg Sterling
1  sur  5
Télécharger pour lire hors ligne
ARTICLE 29 Data Protection Working Party Brussels, 16.10.2012 Dear Mr. Page, On March 1, 2012 Google changed the privacy policy and terms of service that apply to most of its services. This new policy merges many product-specific privacy policies and generalizes combination of data across services. We recognize that Google launched an extensive advertising campaign to inform its users about the new Privacy Policy, using various information tools (emails, pop-ups, etc.). However, the changes in the new Privacy Policy have been decided without substantial discussions with data protection regulators and have raised numerous questions about Google’s processing operations. The EU Data Protection Authorities, united within the Article 29 Working Party, launched an in-depth investigation to assess the compliance of Google’s new Privacy Policy with the European Data Protection legislation, notably the Data Protection Directive 95/46/EC and the ePrivacy Directive 2002/58/EC. The Working Party asked the French Data Protection Authority (CNIL) to take the lead in this analysis. Google collaborated with the Working Party’s investigation by answering two questionnaires sent by the CNIL on March 19 and May 22. Other data protection and privacy authorities around the world, like the Asia Pacific Privacy Authorities, also conducted inquiries. Google explained that many of its privacy-related practices do not differ from other U.S. internet companies. We examine the practices of other companies operating in this sector, if needed be publicly. As a leader in the online world, we expect Google to proactively engage on privacy matters in close relationship with the competent authorities of the countries where your company offers its services. The wide variety of processing operations implemented by Google requires a strong and enduring commitment to ensure that Google’s development is not made at the expenses of your users’ privacy. Therefore, we are happy that Google accepted to clarify some issues, although grey areas still remain after analyzing your answers to the two questionnaires. In particular, Google’s answers have not demonstrated that your company endorses the key data protection principles of purpose limitation, data quality, data minimization, proportionality and right to object. Indeed, the Privacy policy suggests the absence of any limit concerning the scope of the collection and the potential uses of the personal data. We challenge you to commit publicly to these principles. Additionally, the investigation unveiled several legal issues with the new privacy policy and the combination of data. Firstly, the investigation showed that Google provides insufficient information to its users (including passive users), especially on the purposes and the categories of data 1
being processed. As a result, a Google user is unable to determine which categories of data are processed in the service he uses, and for which purpose these data are processed. Internet companies should not develop privacy notices that are too complex, law-oriented or excessively long. However, the search for simplicity should not lead internet companies to avoid the respect of their duties. We require from all large and global companies that they detail and differentiate their processing operations. Secondly, the investigation confirmed our concerns about the combination of data across services. The new Privacy Policy allows Google to combine almost any data from any services for any purposes. Combination of data, like any other processing of personal data, requires an appropriate legal ground and should not be incompatible with the purpose for which these data were collected. For some of the purposes related to the combination of data and which are further elaborated in the appendix, Google does not collect the unambiguous consent of the user, the protection of the individual’s fundamental rights and freedoms overrides Google’s legitimate interests to collect such a large database, and no contract justifies this large combination of data. Google empowers itself to collect vast amounts of personal data about internet users, but Google has not demonstrated that this collection was proportionate to the purposes for which they are processed. Moreover, Google did not set any limits to the combination of data nor provide clear and comprehensive tools allowing its users to control it. Combining personal data on such a large scale creates high risks to the privacy of users. Therefore, Google should modify its practices when combining data across services for these purposes. Other purposes are legitimate or based on consent, such as the provision of a service where the user requests the combination of data across services (e.g. access to the contacts in Calendar), security or academic research, even if improvements should be made with regard to the information provided. Finally, Google failed to provide retention periods for the personal data it processes. As data protection regulators, we expect that Google takes the necessary steps to improve information and clarify the combination of data, and more generally ensure compliance with data protection laws and principles. To that end, we list below our practical recommendations. You will also find a summary of the findings of the investigation and detailed recommendations in the appendix. Regarding information, Google should disclose and detail how it processes personal data in each service and differentiate the purposes for each service and each category of data. In practice, Google could: - Define an architecture of layered privacy notices with three levels: (1st level) in- product privacy notices and interstitial notices, (2nd level) the current privacy policy in an updated version, (3rd level) product-specific information; - Develop interactive presentations that allow users to navigate easily through the content of the policies; - Provide additional and precise information about data that have a significant impact on users (location, credit card data, unique device identifiers, telephony, biometrics) - Adapt information to mobile users; - Ensure that passive users are appropriately informed. 2
The implementation of these recommendations would ensure comprehensive, non-invasive and clear information for the data subjects. Regarding combination of data, Google should take action to clarify the purposes and means of the combination of data. In that perspective, Google should detail more clearly how data is combined across its services and develop new tools to give users more control over their personal data. This could be done by implementing the following controls (detailed in appendix): - Simplify opt-out mechanisms for authenticated and non-authenticated users, and make them available in one place; - Differentiate the purposes of the combination of data with appropriate tools; - Collect explicit consent for the combination of data for certain purposes; - Offer the possibility for authenticated users to control in which service they are logged in; - Limit the combination of data for passive users; - Implement Article 5(3) of the European ePrivacy Directive; - Extend to all countries the process designed for Google Analytics in Germany. We recognize Google’s key role in the online world. Our recommendations do not seek to limit the company’s ability to innovate and improve its products, but rather to strengthen users’ trust and control, and to ensure compliance with data protection legislations and principles. Finally, we encourage you to engage with data protection authorities when developing services with significant implications for privacy. We would like you to send a response to the CNIL indicating how and within what timeframe Google will update its privacy policy and practices to implement our recommendations. Yours sincerely, Isabelle FALQUE-PIERROTIN (FR) Jacob KOHNSTAMM (Chairman Article 29 Working Party + NL) Eva SOUHRADA-KIRCHMAYER (AT) 3
Peter SCHAAR (DE) José Luis RODRÍGUEZ ÁLVAREZ (ES) Reijo AARNIO (FI) Billy HAWKES (IE) Antonello SORO (IT) 4
Yiannos DANIELIDES (CY) Göran GRÄSLUND (SE) Natasa PIRC MUSAR (SI) Eleonóra KROČIANOVÁ (SK) 5

Recommandé

Google Policy Primer 2013
Google Policy Primer 2013Google Policy Primer 2013
Google Policy Primer 2013Kylie M
 
What is GDPR ? by M32
What is GDPR ? by M32What is GDPR ? by M32
What is GDPR ? by M32Pneus Touchette Distribution inc.
 
Rollits Education Focus Summer 2017
Rollits Education Focus Summer 2017Rollits Education Focus Summer 2017
Rollits Education Focus Summer 2017Pat Coyle
 
GDPRIBMWhitePaper
GDPRIBMWhitePaperGDPRIBMWhitePaper
GDPRIBMWhitePaperJim Wilson
 
Beginning your GDPR journey
Beginning your GDPR journeyBeginning your GDPR journey
Beginning your GDPR journeyMiguel Mello
 
Tangible Data Protection White Paper
Tangible Data Protection White PaperTangible Data Protection White Paper
Tangible Data Protection White PaperNick Banbury
 
What is GDPR?
What is GDPR?What is GDPR?
What is GDPR?Faidepro
 
Disclosure, Exposure and the "Right to be Forgotten" After Google Spain
Disclosure, Exposure and the "Right to be Forgotten" After Google SpainDisclosure, Exposure and the "Right to be Forgotten" After Google Spain
Disclosure, Exposure and the "Right to be Forgotten" After Google SpainDavid Erdos
 

Recommandé

Google Policy Primer 2013
Google Policy Primer 2013Google Policy Primer 2013
Google Policy Primer 2013Kylie M
 
What is GDPR ? by M32
What is GDPR ? by M32What is GDPR ? by M32
What is GDPR ? by M32Pneus Touchette Distribution inc.
 
Rollits Education Focus Summer 2017
Rollits Education Focus Summer 2017Rollits Education Focus Summer 2017
Rollits Education Focus Summer 2017Pat Coyle
 
GDPRIBMWhitePaper
GDPRIBMWhitePaperGDPRIBMWhitePaper
GDPRIBMWhitePaperJim Wilson
 
Beginning your GDPR journey
Beginning your GDPR journeyBeginning your GDPR journey
Beginning your GDPR journeyMiguel Mello
 
Tangible Data Protection White Paper
Tangible Data Protection White PaperTangible Data Protection White Paper
Tangible Data Protection White PaperNick Banbury
 
What is GDPR?
What is GDPR?What is GDPR?
What is GDPR?Faidepro
 
Disclosure, Exposure and the "Right to be Forgotten" After Google Spain
Disclosure, Exposure and the "Right to be Forgotten" After Google SpainDisclosure, Exposure and the "Right to be Forgotten" After Google Spain
Disclosure, Exposure and the "Right to be Forgotten" After Google SpainDavid Erdos
 
The Definitive GDPR Guide for Event Professionals
The Definitive GDPR Guide for Event ProfessionalsThe Definitive GDPR Guide for Event Professionals
The Definitive GDPR Guide for Event ProfessionalsHubilo
 
GDPR infographic
GDPR infographicGDPR infographic
GDPR infographicMarketing Team at Crown Worldwide Group
 
IAB Europe's GDPR Compliance Primer
IAB Europe's GDPR Compliance PrimerIAB Europe's GDPR Compliance Primer
IAB Europe's GDPR Compliance PrimerIAB Europe
 
GIG Working Paper 02/2017 - The Definition of Personal Data
GIG Working Paper 02/2017 - The Definition of Personal DataGIG Working Paper 02/2017 - The Definition of Personal Data
GIG Working Paper 02/2017 - The Definition of Personal DataIAB Europe
 
The U.S. Healthcare Implications of Europe’s Stricter Data Privacy Regulation
The U.S. Healthcare Implications of Europe’s Stricter Data Privacy RegulationThe U.S. Healthcare Implications of Europe’s Stricter Data Privacy Regulation
The U.S. Healthcare Implications of Europe’s Stricter Data Privacy RegulationCognizant
 
The General data protection regulation : Salient clauses
The General data protection regulation : Salient clausesThe General data protection regulation : Salient clauses
The General data protection regulation : Salient clausesSyed Nazir Razik ACP, CSM, PMP
 
Privacy Year In Preview
Privacy Year In PreviewPrivacy Year In Preview
Privacy Year In PreviewRockwell Bower, Esq., CIPP(US), CIPM
 
The GDPR, Brexit, the UK and adequacy
The GDPR, Brexit, the UK and adequacyThe GDPR, Brexit, the UK and adequacy
The GDPR, Brexit, the UK and adequacyLilian Edwards
 
GDPR: A Threat or Opportunity? www.normanbroadbent.
GDPR: A Threat or Opportunity? www.normanbroadbent.GDPR: A Threat or Opportunity? www.normanbroadbent.
GDPR: A Threat or Opportunity? www.normanbroadbent.Steven Salter
 
GDPR- Get the facts and prepare your business
GDPR- Get the facts and prepare your businessGDPR- Get the facts and prepare your business
GDPR- Get the facts and prepare your businessMark Baker
 
UK GDPR: What New Direction?
UK GDPR: What New Direction?UK GDPR: What New Direction?
UK GDPR: What New Direction?David Erdos
 
Understanding gdpr compliance gdpr analytics tools
Understanding gdpr compliance gdpr analytics toolsUnderstanding gdpr compliance gdpr analytics tools
Understanding gdpr compliance gdpr analytics toolsRominaMariaBaltariu
 
White-Paper_Security-DBSec_EU-GDPR_06-2016
White-Paper_Security-DBSec_EU-GDPR_06-2016White-Paper_Security-DBSec_EU-GDPR_06-2016
White-Paper_Security-DBSec_EU-GDPR_06-2016stefanjung
 
Getting Ready for GDPR
Getting Ready for GDPRGetting Ready for GDPR
Getting Ready for GDPRJessvin Thomas
 
GDPR: data needs to be in safe hands
GDPR: data needs to be in safe hands GDPR: data needs to be in safe hands
GDPR: data needs to be in safe hands legalandgeneral
 
Brexit Data Protection Update: The EU, US and UK Perspective
Brexit Data Protection Update: The EU, US and UK PerspectiveBrexit Data Protection Update: The EU, US and UK Perspective
Brexit Data Protection Update: The EU, US and UK PerspectiveTrustArc
 
GDPR: the legal aspects. By Matthias of theJurists Europe.
GDPR: the legal aspects. By Matthias of theJurists Europe.GDPR: the legal aspects. By Matthias of theJurists Europe.
GDPR: the legal aspects. By Matthias of theJurists Europe.Matthias Dobbelaere-Welvaert
 
Google search bias letter 2016 01-26(1)-1
Google search bias letter 2016 01-26(1)-1Google search bias letter 2016 01-26(1)-1
Google search bias letter 2016 01-26(1)-1Greg Sterling
 
FTC Complaint v InMobi
FTC Complaint v InMobiFTC Complaint v InMobi
FTC Complaint v InMobiGreg Sterling
 
E ventures worldwide v. google
E ventures worldwide v. googleE ventures worldwide v. google
E ventures worldwide v. googleGreg Sterling
 
How google fights piracy 2016
How google fights piracy 2016How google fights piracy 2016
How google fights piracy 2016Greg Sterling
 
European Court of Justice Press Release GS Media vs. Sanoma
European Court of Justice Press Release GS Media vs. SanomaEuropean Court of Justice Press Release GS Media vs. Sanoma
European Court of Justice Press Release GS Media vs. SanomaGreg Sterling
 

Contenu connexe

Tendances

The Definitive GDPR Guide for Event Professionals
The Definitive GDPR Guide for Event ProfessionalsThe Definitive GDPR Guide for Event Professionals
The Definitive GDPR Guide for Event ProfessionalsHubilo
 
IAB Europe's GDPR Compliance Primer
IAB Europe's GDPR Compliance PrimerIAB Europe's GDPR Compliance Primer
IAB Europe's GDPR Compliance PrimerIAB Europe
 
GIG Working Paper 02/2017 - The Definition of Personal Data
GIG Working Paper 02/2017 - The Definition of Personal DataGIG Working Paper 02/2017 - The Definition of Personal Data
GIG Working Paper 02/2017 - The Definition of Personal DataIAB Europe
 
The U.S. Healthcare Implications of Europe’s Stricter Data Privacy Regulation
The U.S. Healthcare Implications of Europe’s Stricter Data Privacy RegulationThe U.S. Healthcare Implications of Europe’s Stricter Data Privacy Regulation
The U.S. Healthcare Implications of Europe’s Stricter Data Privacy RegulationCognizant
 
The General data protection regulation : Salient clauses
The General data protection regulation : Salient clausesThe General data protection regulation : Salient clauses
The General data protection regulation : Salient clausesSyed Nazir Razik ACP, CSM, PMP
 
The GDPR, Brexit, the UK and adequacy
The GDPR, Brexit, the UK and adequacyThe GDPR, Brexit, the UK and adequacy
The GDPR, Brexit, the UK and adequacyLilian Edwards
 
GDPR: A Threat or Opportunity? www.normanbroadbent.
GDPR: A Threat or Opportunity? www.normanbroadbent.GDPR: A Threat or Opportunity? www.normanbroadbent.
GDPR: A Threat or Opportunity? www.normanbroadbent.Steven Salter
 
GDPR- Get the facts and prepare your business
GDPR- Get the facts and prepare your businessGDPR- Get the facts and prepare your business
GDPR- Get the facts and prepare your businessMark Baker
 
UK GDPR: What New Direction?
UK GDPR: What New Direction?UK GDPR: What New Direction?
UK GDPR: What New Direction?David Erdos
 
Understanding gdpr compliance gdpr analytics tools
Understanding gdpr compliance gdpr analytics toolsUnderstanding gdpr compliance gdpr analytics tools
Understanding gdpr compliance gdpr analytics toolsRominaMariaBaltariu
 
White-Paper_Security-DBSec_EU-GDPR_06-2016
White-Paper_Security-DBSec_EU-GDPR_06-2016White-Paper_Security-DBSec_EU-GDPR_06-2016
White-Paper_Security-DBSec_EU-GDPR_06-2016stefanjung
 
Getting Ready for GDPR
Getting Ready for GDPRGetting Ready for GDPR
Getting Ready for GDPRJessvin Thomas
 
GDPR: data needs to be in safe hands
GDPR: data needs to be in safe hands GDPR: data needs to be in safe hands
GDPR: data needs to be in safe hands legalandgeneral
 
Brexit Data Protection Update: The EU, US and UK Perspective
Brexit Data Protection Update: The EU, US and UK PerspectiveBrexit Data Protection Update: The EU, US and UK Perspective
Brexit Data Protection Update: The EU, US and UK PerspectiveTrustArc
 
GDPR: the legal aspects. By Matthias of theJurists Europe.
GDPR: the legal aspects. By Matthias of theJurists Europe.GDPR: the legal aspects. By Matthias of theJurists Europe.
GDPR: the legal aspects. By Matthias of theJurists Europe.Matthias Dobbelaere-Welvaert
 

Tendances (17)

The Definitive GDPR Guide for Event Professionals
The Definitive GDPR Guide for Event ProfessionalsThe Definitive GDPR Guide for Event Professionals
The Definitive GDPR Guide for Event Professionals
 
GDPR infographic
GDPR infographicGDPR infographic
GDPR infographic
 
IAB Europe's GDPR Compliance Primer
IAB Europe's GDPR Compliance PrimerIAB Europe's GDPR Compliance Primer
IAB Europe's GDPR Compliance Primer
 
GIG Working Paper 02/2017 - The Definition of Personal Data
GIG Working Paper 02/2017 - The Definition of Personal DataGIG Working Paper 02/2017 - The Definition of Personal Data
GIG Working Paper 02/2017 - The Definition of Personal Data
 
The U.S. Healthcare Implications of Europe’s Stricter Data Privacy Regulation
The U.S. Healthcare Implications of Europe’s Stricter Data Privacy RegulationThe U.S. Healthcare Implications of Europe’s Stricter Data Privacy Regulation
The U.S. Healthcare Implications of Europe’s Stricter Data Privacy Regulation
 
The General data protection regulation : Salient clauses
The General data protection regulation : Salient clausesThe General data protection regulation : Salient clauses
The General data protection regulation : Salient clauses
 
Privacy Year In Preview
Privacy Year In PreviewPrivacy Year In Preview
Privacy Year In Preview
 
The GDPR, Brexit, the UK and adequacy
The GDPR, Brexit, the UK and adequacyThe GDPR, Brexit, the UK and adequacy
The GDPR, Brexit, the UK and adequacy
 
GDPR: A Threat or Opportunity? www.normanbroadbent.
GDPR: A Threat or Opportunity? www.normanbroadbent.GDPR: A Threat or Opportunity? www.normanbroadbent.
GDPR: A Threat or Opportunity? www.normanbroadbent.
 
GDPR- Get the facts and prepare your business
GDPR- Get the facts and prepare your businessGDPR- Get the facts and prepare your business
GDPR- Get the facts and prepare your business
 
UK GDPR: What New Direction?
UK GDPR: What New Direction?UK GDPR: What New Direction?
UK GDPR: What New Direction?
 
Understanding gdpr compliance gdpr analytics tools
Understanding gdpr compliance gdpr analytics toolsUnderstanding gdpr compliance gdpr analytics tools
Understanding gdpr compliance gdpr analytics tools
 
White-Paper_Security-DBSec_EU-GDPR_06-2016
White-Paper_Security-DBSec_EU-GDPR_06-2016White-Paper_Security-DBSec_EU-GDPR_06-2016
White-Paper_Security-DBSec_EU-GDPR_06-2016
 
Getting Ready for GDPR
Getting Ready for GDPRGetting Ready for GDPR
Getting Ready for GDPR
 
GDPR: data needs to be in safe hands
GDPR: data needs to be in safe hands GDPR: data needs to be in safe hands
GDPR: data needs to be in safe hands
 
Brexit Data Protection Update: The EU, US and UK Perspective
Brexit Data Protection Update: The EU, US and UK PerspectiveBrexit Data Protection Update: The EU, US and UK Perspective
Brexit Data Protection Update: The EU, US and UK Perspective
 
GDPR: the legal aspects. By Matthias of theJurists Europe.
GDPR: the legal aspects. By Matthias of theJurists Europe.GDPR: the legal aspects. By Matthias of theJurists Europe.
GDPR: the legal aspects. By Matthias of theJurists Europe.
 

En vedette

Google search bias letter 2016 01-26(1)-1
Google search bias letter 2016 01-26(1)-1Google search bias letter 2016 01-26(1)-1
Google search bias letter 2016 01-26(1)-1Greg Sterling
 
FTC Complaint v InMobi
FTC Complaint v InMobiFTC Complaint v InMobi
FTC Complaint v InMobiGreg Sterling
 
E ventures worldwide v. google
E ventures worldwide v. googleE ventures worldwide v. google
E ventures worldwide v. googleGreg Sterling
 
How google fights piracy 2016
How google fights piracy 2016How google fights piracy 2016
How google fights piracy 2016Greg Sterling
 
European Court of Justice Press Release GS Media vs. Sanoma
European Court of Justice Press Release GS Media vs. SanomaEuropean Court of Justice Press Release GS Media vs. Sanoma
European Court of Justice Press Release GS Media vs. SanomaGreg Sterling
 
1 2016-593-en-f1-1-1
1 2016-593-en-f1-1-11 2016-593-en-f1-1-1
1 2016-593-en-f1-1-1Greg Sterling
 
Google viacom-kids-cookie-tracking
Google viacom-kids-cookie-trackingGoogle viacom-kids-cookie-tracking
Google viacom-kids-cookie-trackingGreg Sterling
 

En vedette (7)

Google search bias letter 2016 01-26(1)-1
Google search bias letter 2016 01-26(1)-1Google search bias letter 2016 01-26(1)-1
Google search bias letter 2016 01-26(1)-1
 
FTC Complaint v InMobi
FTC Complaint v InMobiFTC Complaint v InMobi
FTC Complaint v InMobi
 
E ventures worldwide v. google
E ventures worldwide v. googleE ventures worldwide v. google
E ventures worldwide v. google
 
How google fights piracy 2016
How google fights piracy 2016How google fights piracy 2016
How google fights piracy 2016
 
European Court of Justice Press Release GS Media vs. Sanoma
European Court of Justice Press Release GS Media vs. SanomaEuropean Court of Justice Press Release GS Media vs. Sanoma
European Court of Justice Press Release GS Media vs. Sanoma
 
1 2016-593-en-f1-1-1
1 2016-593-en-f1-1-11 2016-593-en-f1-1-1
1 2016-593-en-f1-1-1
 
Google viacom-kids-cookie-tracking
Google viacom-kids-cookie-trackingGoogle viacom-kids-cookie-tracking
Google viacom-kids-cookie-tracking
 

Similaire à Letter from the_article_29_working_party_to_google_in_relation_to_its_new_privacy_policy

20140923 letter on_google_privacy_policy_appendix
20140923 letter on_google_privacy_policy_appendix20140923 letter on_google_privacy_policy_appendix
20140923 letter on_google_privacy_policy_appendixGreg Sterling
 
Qubole GDPR Security and Compliance Whitepaper
Qubole GDPR Security and Compliance Whitepaper Qubole GDPR Security and Compliance Whitepaper
Qubole GDPR Security and Compliance Whitepaper Vasu S
 
GDPR's Impact on Social Media - Everything You Need to Know
GDPR's Impact on Social Media - Everything You Need to KnowGDPR's Impact on Social Media - Everything You Need to Know
GDPR's Impact on Social Media - Everything You Need to KnowVisitor Analytics
 
Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)Acquia
 
How the EU-GDPR May Affect Your Website
How the EU-GDPR May Affect Your WebsiteHow the EU-GDPR May Affect Your Website
How the EU-GDPR May Affect Your WebsiteSilverTech
 
Controversy over Google's Privacy Policy Changes
Controversy over Google's Privacy Policy ChangesControversy over Google's Privacy Policy Changes
Controversy over Google's Privacy Policy ChangesInternet Law Center
 
Golden Gekko, 10 burning questions on privacy
Golden Gekko, 10 burning questions on privacyGolden Gekko, 10 burning questions on privacy
Golden Gekko, 10 burning questions on privacyDMI
 
The Evolution of Data Privacy: 3 Things You Need To Consider
The Evolution of Data Privacy: 3 Things You Need To ConsiderThe Evolution of Data Privacy: 3 Things You Need To Consider
The Evolution of Data Privacy: 3 Things You Need To ConsiderSymantec
 
Google Policy Primer
Google Policy PrimerGoogle Policy Primer
Google Policy PrimerIrene Pollak
 
What does GDPR laws mean for Australian businesses
What does GDPR laws mean for Australian businessesWhat does GDPR laws mean for Australian businesses
What does GDPR laws mean for Australian businessesiFactory Digital
 
General data protection regulation - European union
General data protection regulation - European unionGeneral data protection regulation - European union
General data protection regulation - European unionRohana K Amarakoon
 
Cookie Consent and Authorized Data Collection_Mar23.pdf
Cookie Consent and Authorized Data Collection_Mar23.pdfCookie Consent and Authorized Data Collection_Mar23.pdf
Cookie Consent and Authorized Data Collection_Mar23.pdfAdzappier
 
Data Privacy in the Cloud.pdf
Data Privacy in the Cloud.pdfData Privacy in the Cloud.pdf
Data Privacy in the Cloud.pdfaccacloud
 
Aon GDPR white paper
Aon GDPR white paperAon GDPR white paper
Aon GDPR white paperGraeme Cross
 
How IBM Supports Clients around GDPR and Cybersecurity Legislation
How IBM Supports Clients around GDPR and Cybersecurity LegislationHow IBM Supports Clients around GDPR and Cybersecurity Legislation
How IBM Supports Clients around GDPR and Cybersecurity LegislationIBM Security
 
Deceived by design. How tech companies use dark patterns to discourage us fro...
Deceived by design. How tech companies use dark patterns to discourage us fro...Deceived by design. How tech companies use dark patterns to discourage us fro...
Deceived by design. How tech companies use dark patterns to discourage us fro...Digital Policy and Law Consulting
 
KLL4328
KLL4328 KLL4328
KLL4328 KLIBEL
 
2012 2 2 mindshare digital po v new google privacy policy
2012 2 2 mindshare digital po v new google privacy policy2012 2 2 mindshare digital po v new google privacy policy
2012 2 2 mindshare digital po v new google privacy policyMindshare
 
General Data Protection Regulation (GDPR) - Moving from confusion to readiness
General Data Protection Regulation (GDPR) - Moving from confusion to readinessGeneral Data Protection Regulation (GDPR) - Moving from confusion to readiness
General Data Protection Regulation (GDPR) - Moving from confusion to readinessOmo Osagiede
 

Similaire à Letter from the_article_29_working_party_to_google_in_relation_to_its_new_privacy_policy (20)

20140923 letter on_google_privacy_policy_appendix
20140923 letter on_google_privacy_policy_appendix20140923 letter on_google_privacy_policy_appendix
20140923 letter on_google_privacy_policy_appendix
 
Qubole GDPR Security and Compliance Whitepaper
Qubole GDPR Security and Compliance Whitepaper Qubole GDPR Security and Compliance Whitepaper
Qubole GDPR Security and Compliance Whitepaper
 
GDPR's Impact on Social Media - Everything You Need to Know
GDPR's Impact on Social Media - Everything You Need to KnowGDPR's Impact on Social Media - Everything You Need to Know
GDPR's Impact on Social Media - Everything You Need to Know
 
Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)
 
How the EU-GDPR May Affect Your Website
How the EU-GDPR May Affect Your WebsiteHow the EU-GDPR May Affect Your Website
How the EU-GDPR May Affect Your Website
 
Controversy over Google's Privacy Policy Changes
Controversy over Google's Privacy Policy ChangesControversy over Google's Privacy Policy Changes
Controversy over Google's Privacy Policy Changes
 
Golden Gekko, 10 burning questions on privacy
Golden Gekko, 10 burning questions on privacyGolden Gekko, 10 burning questions on privacy
Golden Gekko, 10 burning questions on privacy
 
The Evolution of Data Privacy: 3 Things You Need To Consider
The Evolution of Data Privacy: 3 Things You Need To ConsiderThe Evolution of Data Privacy: 3 Things You Need To Consider
The Evolution of Data Privacy: 3 Things You Need To Consider
 
Google Policy Primer
Google Policy PrimerGoogle Policy Primer
Google Policy Primer
 
What does GDPR laws mean for Australian businesses
What does GDPR laws mean for Australian businessesWhat does GDPR laws mean for Australian businesses
What does GDPR laws mean for Australian businesses
 
General data protection regulation - European union
General data protection regulation - European unionGeneral data protection regulation - European union
General data protection regulation - European union
 
[REPORT PREVIEW] GDPR Beyond May 25, 2018
[REPORT PREVIEW] GDPR Beyond May 25, 2018[REPORT PREVIEW] GDPR Beyond May 25, 2018
[REPORT PREVIEW] GDPR Beyond May 25, 2018
 
Cookie Consent and Authorized Data Collection_Mar23.pdf
Cookie Consent and Authorized Data Collection_Mar23.pdfCookie Consent and Authorized Data Collection_Mar23.pdf
Cookie Consent and Authorized Data Collection_Mar23.pdf
 
Data Privacy in the Cloud.pdf
Data Privacy in the Cloud.pdfData Privacy in the Cloud.pdf
Data Privacy in the Cloud.pdf
 
Aon GDPR white paper
Aon GDPR white paperAon GDPR white paper
Aon GDPR white paper
 
How IBM Supports Clients around GDPR and Cybersecurity Legislation
How IBM Supports Clients around GDPR and Cybersecurity LegislationHow IBM Supports Clients around GDPR and Cybersecurity Legislation
How IBM Supports Clients around GDPR and Cybersecurity Legislation
 
Deceived by design. How tech companies use dark patterns to discourage us fro...
Deceived by design. How tech companies use dark patterns to discourage us fro...Deceived by design. How tech companies use dark patterns to discourage us fro...
Deceived by design. How tech companies use dark patterns to discourage us fro...
 
KLL4328
KLL4328 KLL4328
KLL4328
 
2012 2 2 mindshare digital po v new google privacy policy
2012 2 2 mindshare digital po v new google privacy policy2012 2 2 mindshare digital po v new google privacy policy
2012 2 2 mindshare digital po v new google privacy policy
 
General Data Protection Regulation (GDPR) - Moving from confusion to readiness
General Data Protection Regulation (GDPR) - Moving from confusion to readinessGeneral Data Protection Regulation (GDPR) - Moving from confusion to readiness
General Data Protection Regulation (GDPR) - Moving from confusion to readiness
 

Plus de Greg Sterling

Ab 1760 -_amendments
Ab 1760 -_amendmentsAb 1760 -_amendments
Ab 1760 -_amendmentsGreg Sterling
 
Joint ad trade letter to ag becerra re ccpa 1.31.2019
Joint ad trade letter to ag becerra re ccpa 1.31.2019Joint ad trade letter to ag becerra re ccpa 1.31.2019
Joint ad trade letter to ag becerra re ccpa 1.31.2019Greg Sterling
 
Goldman v breitbart_-_opinion
Goldman v breitbart_-_opinionGoldman v breitbart_-_opinion
Goldman v breitbart_-_opinionGreg Sterling
 
Google genericide-cert-petition
Google genericide-cert-petitionGoogle genericide-cert-petition
Google genericide-cert-petitionGreg Sterling
 
Filed copy-first-amended-complaint-baldino-v-google-january-13-2017-1
Filed copy-first-amended-complaint-baldino-v-google-january-13-2017-1Filed copy-first-amended-complaint-baldino-v-google-january-13-2017-1
Filed copy-first-amended-complaint-baldino-v-google-january-13-2017-1Greg Sterling
 
Amazon motion to quash echo-search
Amazon motion to quash echo-searchAmazon motion to quash echo-search
Amazon motion to quash echo-searchGreg Sterling
 
170206 vizio 2017.02.06_complaint
170206 vizio 2017.02.06_complaint170206 vizio 2017.02.06_complaint
170206 vizio 2017.02.06_complaintGreg Sterling
 
Brave cease and desist final copy
Brave cease and desist final copy Brave cease and desist final copy
Brave cease and desist final copy Greg Sterling
 
160315lordandtaylcmpt
160315lordandtaylcmpt160315lordandtaylcmpt
160315lordandtaylcmptGreg Sterling
 
Google search bias letter Utah-DC
Google search bias letter Utah-DCGoogle search bias letter Utah-DC
Google search bias letter Utah-DCGreg Sterling
 
Uber Promotions vs Uber Technologies
Uber Promotions vs Uber Technologies Uber Promotions vs Uber Technologies
Uber Promotions vs Uber Technologies Greg Sterling
 
Judge Pym order iphone
Judge Pym order iphoneJudge Pym order iphone
Judge Pym order iphoneGreg Sterling
 
Communication from the commission to the institutions december2015
Communication from the commission to the institutions december2015Communication from the commission to the institutions december2015
Communication from the commission to the institutions december2015Greg Sterling
 
CJEU decision on Schrems
CJEU decision on SchremsCJEU decision on Schrems
CJEU decision on SchremsGreg Sterling
 
Complaint Google v. Local Lighthouse
Complaint Google v. Local LighthouseComplaint Google v. Local Lighthouse
Complaint Google v. Local LighthouseGreg Sterling
 
Phantom alertcomplaint
Phantom alertcomplaintPhantom alertcomplaint
Phantom alertcomplaintGreg Sterling
 
Carnegie mellon google_ad_study
Carnegie mellon google_ad_studyCarnegie mellon google_ad_study
Carnegie mellon google_ad_studyGreg Sterling
 
Consumer watchdog rtbf letter
Consumer watchdog rtbf letterConsumer watchdog rtbf letter
Consumer watchdog rtbf letterGreg Sterling
 

Plus de Greg Sterling (20)

Ab 1760 -_amendments
Ab 1760 -_amendmentsAb 1760 -_amendments
Ab 1760 -_amendments
 
Joint ad trade letter to ag becerra re ccpa 1.31.2019
Joint ad trade letter to ag becerra re ccpa 1.31.2019Joint ad trade letter to ag becerra re ccpa 1.31.2019
Joint ad trade letter to ag becerra re ccpa 1.31.2019
 
Goldman v breitbart_-_opinion
Goldman v breitbart_-_opinionGoldman v breitbart_-_opinion
Goldman v breitbart_-_opinion
 
Google genericide-cert-petition
Google genericide-cert-petitionGoogle genericide-cert-petition
Google genericide-cert-petition
 
Elliott v. google
Elliott v. googleElliott v. google
Elliott v. google
 
Filed copy-first-amended-complaint-baldino-v-google-january-13-2017-1
Filed copy-first-amended-complaint-baldino-v-google-january-13-2017-1Filed copy-first-amended-complaint-baldino-v-google-january-13-2017-1
Filed copy-first-amended-complaint-baldino-v-google-january-13-2017-1
 
Amazon motion to quash echo-search
Amazon motion to quash echo-searchAmazon motion to quash echo-search
Amazon motion to quash echo-search
 
170206 vizio 2017.02.06_complaint
170206 vizio 2017.02.06_complaint170206 vizio 2017.02.06_complaint
170206 vizio 2017.02.06_complaint
 
Brave cease and desist final copy
Brave cease and desist final copy Brave cease and desist final copy
Brave cease and desist final copy
 
160315lordandtaylcmpt
160315lordandtaylcmpt160315lordandtaylcmpt
160315lordandtaylcmpt
 
Weiss vs google
Weiss vs googleWeiss vs google
Weiss vs google
 
Google search bias letter Utah-DC
Google search bias letter Utah-DCGoogle search bias letter Utah-DC
Google search bias letter Utah-DC
 
Uber Promotions vs Uber Technologies
Uber Promotions vs Uber Technologies Uber Promotions vs Uber Technologies
Uber Promotions vs Uber Technologies
 
Judge Pym order iphone
Judge Pym order iphoneJudge Pym order iphone
Judge Pym order iphone
 
Communication from the commission to the institutions december2015
Communication from the commission to the institutions december2015Communication from the commission to the institutions december2015
Communication from the commission to the institutions december2015
 
CJEU decision on Schrems
CJEU decision on SchremsCJEU decision on Schrems
CJEU decision on Schrems
 
Complaint Google v. Local Lighthouse
Complaint Google v. Local LighthouseComplaint Google v. Local Lighthouse
Complaint Google v. Local Lighthouse
 
Phantom alertcomplaint
Phantom alertcomplaintPhantom alertcomplaint
Phantom alertcomplaint
 
Carnegie mellon google_ad_study
Carnegie mellon google_ad_studyCarnegie mellon google_ad_study
Carnegie mellon google_ad_study
 
Consumer watchdog rtbf letter
Consumer watchdog rtbf letterConsumer watchdog rtbf letter
Consumer watchdog rtbf letter
 

Letter from the_article_29_working_party_to_google_in_relation_to_its_new_privacy_policy

  • 1. ARTICLE 29 Data Protection Working Party Brussels, 16.10.2012 Dear Mr. Page, On March 1, 2012 Google changed the privacy policy and terms of service that apply to most of its services. This new policy merges many product-specific privacy policies and generalizes combination of data across services. We recognize that Google launched an extensive advertising campaign to inform its users about the new Privacy Policy, using various information tools (emails, pop-ups, etc.). However, the changes in the new Privacy Policy have been decided without substantial discussions with data protection regulators and have raised numerous questions about Google’s processing operations. The EU Data Protection Authorities, united within the Article 29 Working Party, launched an in-depth investigation to assess the compliance of Google’s new Privacy Policy with the European Data Protection legislation, notably the Data Protection Directive 95/46/EC and the ePrivacy Directive 2002/58/EC. The Working Party asked the French Data Protection Authority (CNIL) to take the lead in this analysis. Google collaborated with the Working Party’s investigation by answering two questionnaires sent by the CNIL on March 19 and May 22. Other data protection and privacy authorities around the world, like the Asia Pacific Privacy Authorities, also conducted inquiries. Google explained that many of its privacy-related practices do not differ from other U.S. internet companies. We examine the practices of other companies operating in this sector, if needed be publicly. As a leader in the online world, we expect Google to proactively engage on privacy matters in close relationship with the competent authorities of the countries where your company offers its services. The wide variety of processing operations implemented by Google requires a strong and enduring commitment to ensure that Google’s development is not made at the expenses of your users’ privacy. Therefore, we are happy that Google accepted to clarify some issues, although grey areas still remain after analyzing your answers to the two questionnaires. In particular, Google’s answers have not demonstrated that your company endorses the key data protection principles of purpose limitation, data quality, data minimization, proportionality and right to object. Indeed, the Privacy policy suggests the absence of any limit concerning the scope of the collection and the potential uses of the personal data. We challenge you to commit publicly to these principles. Additionally, the investigation unveiled several legal issues with the new privacy policy and the combination of data. Firstly, the investigation showed that Google provides insufficient information to its users (including passive users), especially on the purposes and the categories of data 1
  • 2. being processed. As a result, a Google user is unable to determine which categories of data are processed in the service he uses, and for which purpose these data are processed. Internet companies should not develop privacy notices that are too complex, law-oriented or excessively long. However, the search for simplicity should not lead internet companies to avoid the respect of their duties. We require from all large and global companies that they detail and differentiate their processing operations. Secondly, the investigation confirmed our concerns about the combination of data across services. The new Privacy Policy allows Google to combine almost any data from any services for any purposes. Combination of data, like any other processing of personal data, requires an appropriate legal ground and should not be incompatible with the purpose for which these data were collected. For some of the purposes related to the combination of data and which are further elaborated in the appendix, Google does not collect the unambiguous consent of the user, the protection of the individual’s fundamental rights and freedoms overrides Google’s legitimate interests to collect such a large database, and no contract justifies this large combination of data. Google empowers itself to collect vast amounts of personal data about internet users, but Google has not demonstrated that this collection was proportionate to the purposes for which they are processed. Moreover, Google did not set any limits to the combination of data nor provide clear and comprehensive tools allowing its users to control it. Combining personal data on such a large scale creates high risks to the privacy of users. Therefore, Google should modify its practices when combining data across services for these purposes. Other purposes are legitimate or based on consent, such as the provision of a service where the user requests the combination of data across services (e.g. access to the contacts in Calendar), security or academic research, even if improvements should be made with regard to the information provided. Finally, Google failed to provide retention periods for the personal data it processes. As data protection regulators, we expect that Google takes the necessary steps to improve information and clarify the combination of data, and more generally ensure compliance with data protection laws and principles. To that end, we list below our practical recommendations. You will also find a summary of the findings of the investigation and detailed recommendations in the appendix. Regarding information, Google should disclose and detail how it processes personal data in each service and differentiate the purposes for each service and each category of data. In practice, Google could: - Define an architecture of layered privacy notices with three levels: (1st level) in- product privacy notices and interstitial notices, (2nd level) the current privacy policy in an updated version, (3rd level) product-specific information; - Develop interactive presentations that allow users to navigate easily through the content of the policies; - Provide additional and precise information about data that have a significant impact on users (location, credit card data, unique device identifiers, telephony, biometrics) - Adapt information to mobile users; - Ensure that passive users are appropriately informed. 2
  • 3. The implementation of these recommendations would ensure comprehensive, non-invasive and clear information for the data subjects. Regarding combination of data, Google should take action to clarify the purposes and means of the combination of data. In that perspective, Google should detail more clearly how data is combined across its services and develop new tools to give users more control over their personal data. This could be done by implementing the following controls (detailed in appendix): - Simplify opt-out mechanisms for authenticated and non-authenticated users, and make them available in one place; - Differentiate the purposes of the combination of data with appropriate tools; - Collect explicit consent for the combination of data for certain purposes; - Offer the possibility for authenticated users to control in which service they are logged in; - Limit the combination of data for passive users; - Implement Article 5(3) of the European ePrivacy Directive; - Extend to all countries the process designed for Google Analytics in Germany. We recognize Google’s key role in the online world. Our recommendations do not seek to limit the company’s ability to innovate and improve its products, but rather to strengthen users’ trust and control, and to ensure compliance with data protection legislations and principles. Finally, we encourage you to engage with data protection authorities when developing services with significant implications for privacy. We would like you to send a response to the CNIL indicating how and within what timeframe Google will update its privacy policy and practices to implement our recommendations. Yours sincerely, Isabelle FALQUE-PIERROTIN (FR) Jacob KOHNSTAMM (Chairman Article 29 Working Party + NL) Eva SOUHRADA-KIRCHMAYER (AT) 3
  • 4. Peter SCHAAR (DE) José Luis RODRÍGUEZ ÁLVAREZ (ES) Reijo AARNIO (FI) Billy HAWKES (IE) Antonello SORO (IT) 4
  • 5. Yiannos DANIELIDES (CY) Göran GRÄSLUND (SE) Natasa PIRC MUSAR (SI) Eleonóra KROČIANOVÁ (SK) 5