Via Slash Gear
-----
European data protection regulators have demanded Google change its privacy policy,
though the French-led team did not conclude that the search giant’s
actions amounted to something illegal. The investigation, by the Commission Nationale de l’Informatique
(CNIL), argued that Google’s decision to condense the privacy policies
of over sixty products into a single agreement – and at the same time
increase the amount of inter-service data sharing – could leave users
unclear as to how different types of information (as varied as search
terms, credit card details, or phone numbers) could be used by the
company.
“The Privacy Policy makes no difference in terms of processing
between the innocuous content of search query and the credit card number
or the telephone communications of the user” the CNIL points out, “all
these data can be used equally for all the purposes in the Policy.” That
some web users merely interact passively with Google products, such as
adverts, also comes in for heightened attention, with those users
getting no explanation at all as to how their actions might be tracked
or stored.
“EU Data protection authorities ask Google to provide
clearer and more comprehensive information about the collected data and
purposes of each of its personal data processing operations. For
instance, EU Data protection authorities recommend the implementation of
a presentation with three levels of detail to ensure that information
complies with the requirements laid down in the Directive and does not
degrade the users’ experience. The ergonomics of the Policy could also
be improved with interactive presentations” CNIL
In a letter to Google [pdf
link] – signed by the CNIL and other authorities from across Europe –
the concerns are laid out in full, together with some suggestions as to
how they can be addressed. For instance, the search company could
“develop interactive presentations that allow users to navigate easily
through the content of the policies” and “provide additional and precise
information about data that have a significant impact on users
(location, credit card data, unique device identifiers, telephony,
biometrics).”
Ironically, one of Google’s arguments for initially changing its
policy system was that a single, harmonized agreement would be easier
for users to read through and understand. It also insisted that the
data-sharing aspects were little changed from before.
“The CNIL, all the authorities among the Working Party and data
protection authorities from other regions of the world expect Google to
take effective and public measures to comply quickly and commit itself
to the implementation of these recommendations” the commission
concluded. Google has a 3-4 month period to enact the changes requested,
or it could face the threat of sanctions.
“We have received the report and are reviewing it now” Peter Fleischer, Google’s global privacy counsel, told TechCrunch.
“Our new privacy policy demonstrates our long-standing commitment to
protecting our users’ information and creating great products. We are
confident that our privacy notices respect European law.”