European Regulators Put Google in the Hot Seat on Privacy Changes

The French National Commission on Computing and Liberty (CNIL) is running up against what seems to be a chronic problem with Google: difficulty in getting all of the information it requested.

The CNIL was tapped by Europe’s Article 29 Working Party to take the lead in analyzing Google’s new privacy policy, which went into affect on March 1. On March 16, CNIL sent a questionnaire to Google, which the search engine giant responded to on April 20.

CNIL duly thanked Google for its cooperation but noted that its answers were “often incomplete or approximate,” and so launched another round of questions for clarification, which Google has until June 8 to answer.

CNIL gave a few hints as to which of its 69 questions Google hedged on. It noted that Google has not provided a practical answer on the way the Europe’s Privacy Directive is applied for Google’s “passive users” — that is, the persons who use Google services such as advertising, analytics and its +1 button when they visit third-party websites.

It also said that Google has not provided a maximum retention period for the data, and that it would like to clarify the actual effects of Google’s opt-out mechanisms and their validity as a means to exercising the right to oppose.

CNIL did not respond to our request for further details.

“We have received the CNIL’s follow-up questions, and we are reviewing them,” said Google Privacy Counsel Peter Fleischer. “We are confident that our privacy notices respect the requirements of European data protection laws.”

69 Very Long Questions

Certainly the CNIL questionnaire is a lengthy one, with very detailed questions. Consider No. 25: “What does Google mean by ‘personally identifiable information’ in the sentence ‘we will not combine DoubleClick cookie information with personally identifiable information unless we have your opt-in consent’? Does this ‘personally identifiable information’ include the following data collected by Google when using Google services:A) IP-addresses and/orB) unique device identifiers and/orC) telephone numbers and/orD) geolocation data.”No doubt, Google might have preferred to avoid some of the questions CNIL posed — such as No. 2: “Please provide the approximate number of complaints/demands/questions addressed to Google following the announcement of the new privacy policy in January 2012” — if only to keep privacy advocates around the globe from getting further inflamed, as the complete answer to No. 7 could well do.

No. 7: “The new privacy policy describes a list of ‘Information that we get from your use of our services’ and includes in this description ‘Device information,’ ‘Log information,’ ‘Location information,’ ‘Unique application numbers,’ and ‘Cookies and anonymous identifiers.’ Please indicate if this list is comprehensive or if Google may collect additional data related to the user’s use of its services.”

In Google’s defense, it just might not have the answers to some of the questions, at least at this moment. For example, Question 11: “Google does not mention face recognition in its new privacy policy. Does this mean that Google does not use facial recognition processings or that a specific policy will apply for such processing? In this case, will Google ask users for prior explicit consent before applying face recognition to pictures or other material uploaded by users (for example a picture used for a Google account, or pictures uploaded to Google+ representing the user or third parties)?”

Google’s MO

Stonewalling is Google’s M.O. when it comes to regulatory requests, John M. Simpson, Consumer Watchdog’s privacy project director, told the E-Commerce Times.

“Google did it with the FCC over its inquiry into the StreetView project,” he said. “The FCC fined Google (US)$25,000 because it dragged its feet in responding.”

Google has said it fully cooperated with the inquiry.

“Google’s constant footdragging and obstructionist tactics when it comes to dealings with regulatory authorities is finally catching up with them,” said Simpson.

If the EU really wants to flex its muscles over Google’s privacy policy, it has the ability to do so, Peter S. Vogel, partner at Gardere Wynne Sewell, told the E-Commerce Times.

“It has been clear since Google announced its privacy policy change that the EU was unhappy with it,” said Vogel. “Potentially this is a problem for Google.”

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories

E-Commerce Times Channels