Tuesday, July 16, 2013

Google's Privacy Policy Violates EU Law According To UK, German, And Italian Data Protection Authorities

On July 4th, 2013, European data protection authorities continued to take a stand to protect the digital privacy and personal safety of its citizens.  Regulators in the United Kingdom, Germany, and Italy each announced that they are in the process of taking legal action against Google because its March 1, 2012 privacy policy change violates European data protection laws.  According to The Guardian, multiple European data protection authorities have notified Google that it must revise its privacy policy or it will face sanctions.
These new announcements follow the June 20, 2013 statement by France and Spain's data protection authorities that ordered Google to comply with European data privacy laws or face sanctions for non-compliance.  The CNIL's October 16, 2012, common findings regarding Google's March 1, 2012 privacy policy change stated "Google provides insufficient information to its users on its personal data processing operations," and Google "should therefore modify its practices when combining data across services for these purposes".    

In response to allegations by data protection authorities that its privacy policy violates European law, Google stated, "[o]ur privacy policy respects European law and allows us to create simpler, more effective services. We have engaged fully with the authorities involved throughout this process, and we'll continue to do so going forward."  If regulators in at least five European countries have determined that Google's privacy policy is not in compliance with European data protection laws why does Google continue to claim that its privacy policy respects European law? 

Is Google practicing a technique known as "The Big Lie" when it continues to state that its privacy policy respects European data protection laws?  According to Merriam-Webster's online dictionary, a "big lie" is defined as "a deliberate gross distortion of the truth used especially as a propaganda tactic."  Is Google's consistent position that its privacy policy does not violate European data protection laws despite the findings of non-compliance by multiple European regulators part of a strategy to deny non-compliance so it can continue to utilize the data that it is collecting from users until regulators impose fines and/or take other measures that would require compliance? 

Delay, hinder, and deny appears to be Google's modus operandi when confronted with a privacy investigation. Google has been fined multiple times by regulators around the world for its data collection practices.  For example, the FCC fined Google $25,000 in 2012 because during its Street View project in the United States it collected data from U.S. citizens such as personal emails and texts and then refused to fully cooperate with the FCC's investigation.  According to an FCC's Notice of Apparent Liability Forfeiture report, "Google deliberately impeded and delayed the Bureau’s investigation by failing to respond to requests for material information and to provide certifications and verifications of  its responses".... and "Google apparently willfully and repeatedly violated Commission orders to produce certain information and documents that  the Commission required for its investigation." 

The personal privacy of Europeans was also violated by Google's Street View project.  Earlier this year, Google was fined  $189,230 by German data protection authorities because of its Street View project's data collection practices and it was also fined $142,000 by French data protection authorities in 2011 for similar issues.  Does this indicate a troubling pattern where Google violates the personal privacy of Internet users for corporate financial gain because the potential fines are less than the worth of the data it is obtaining and monetizing?  Since regulators across the world have fined Google multiple times for violating data protection/privacy laws and these penalties have not pushed Google to reform its behavior, an update to these laws that include much harsher penalties may be needed.   

The European Union's continued march towards requiring Google to change its privacy policy and become more transparent about how it is utilizing user data not only will better protect the digital privacy and safety of consumers, but it will also protect students who utilize Google's official school offerings, along with businesses and governments and their employees who are Google Enterprise customers. 

Google's Apps For Business Enterprise Privacy Center clearly links to Google's standard privacy policy which allows it to merge data from paid professional services with free consumer services.  For example, while a Gmail user is logged in as a Google Apps professional user, he is covered by the Google Apps Agreement.  However, if a Gmail user performs a Google Search, while still logged into his professional Google Apps account, the Gmail user is then bound to a different set of terms which appear to provide Google the right to all the data uploaded. 

Google's Privacy Policy states, "[w]e may combine personal information from one service with information, including personal information, from other Google services."  This appears to mean that Google is combining data from all of its services (both consumer and professional) while a user is logged into a business account. The YouTube videos being watched, ads being clicked on, search terms utilized, business emails sent/received, etc... are all being mined and the results combined to build a profile which is used “to offer [Google users] tailored content – like giving you more relevant search results and ads.” 
Should content gleaned from business or official government accounts also be intermixed with data from personal consumer accounts?  Why isn't there a clear notice such as a large pop up screen or some other type of conspicuous warning when a user moves from one Google service to another that their data may be combined?  Should Google or any company be able to use private business data for purposes such as providing “more relevant search results and ads?”  

Allowing any company, whether Google or a competitor to collect and combine large amounts of information about a person may create unintended and unforeseen legal consequences for Google's users and society.  What will happen when a government agency and/or lawyers request access to all of the data that Google is collecting about someone? These practices appear to not only put the personal privacy and safety of Google's users at risk but they also raise significant legal issues about the intermingling of personal and/or corporate or government data.

The time is now for Google to change its privacy policy not just for users in the European countries that are moving forward with enforcement actions but for all users throughout the world.  Since Google's official corporate code of conduct includes the phrases, "don't be evil," "doing the right thing," and "following the law",  I would like to see Google prove they practice what they preach by changing its privacy policy to not only better protect the personal privacy and safety of all of its users but to also follow European data protection laws.  

Copyright 2013 by the Law Office of Bradley S. Shear, LLC All rights reserved.     

No comments:

Post a Comment