Google ordered to look again at privacy policy by EU regulators

Internet search firm Google has been ordered to look again at its controversial privacy policy by European Union regulators after a report criticised its collection of internet users’ personal information.

In the report, released today, an EU data protection commissioner accused Google of not respecting data protection.

“It is not possible to ascertain from the analysis that Google respects the key data protection principles of purpose limitation, data quality, data minimization, proportionality and right to object,” read a statement from the EU regulator.

The regulator added: “Indeed, the Privacy policy suggests the absence of any limit concerning the scope of the collection and the potential uses of the personal data. The EU Data protection authorities challenge Google to commit publicly to these principles.”

It said that Google “provides insufficient information to its users on its personal data processing operations”, adding that Google users cannot tell how their personal data are used.

“The Privacy Policy makes no difference in terms of processing between the innocuous content of search query and the credit card number…of the user,” it said, adding: “passive users (i.e. those that interact with some of Google's services like advertising or ‘+1' buttons on third-party websites) have no information at all.”

The French regulator Commission Nationale de l’Informatique et des Libertés (CNIL), which was appointed to lead the investigation on behalf of the EU, demanded that Google modify its practices.

It asked Google to give “clearer and more comprehensive information about the collected data and purposes of each of its personal data processing operations” and demanded the firm should allow users to choose when their data are combined between Google products.

It also said that users should be given the right to opt-out and that Google should modify its own systems so that data entered by users in one of the firm’s products cannot be passed to another without consent.

Google faced investigation after it combined all of the privacy policies related to individual products - numbering 60 – into a single, uniform policy, allowing it to transfer users’ data between different areas of and products belonging to the company. It was criticised when it emerged that people had no option but to accept the new terms.

No mention was made of any of the potential sanctions open to the CNIL, which include financial penalties, should Google fail to comply. The CNIL investigated Google on behalf of the Article 29 Data Protection Working Party, which represents European authorities.

Peter Fleischer, Google’s global privacy counsel today said: “We have received the report and are reviewing it now. Our new privacy policy demonstrates our long-standing commitment to protecting our users’ information and creating great products. We are confident that our privacy notices respect European law.”

Google was informed of the demands in a letter sent to its CEO Larry Page yesterday, Reuters reported.

Earlier this month, a spokesman told Bloomberg News its policy provided users with “clear and comprehensive information about how we use data…we are confident that our privacy notices respect the requirements of European data protection laws”.

The company has clashed with CNIL in the past over the collection of data by its Street View camera cars. Despite its protestations last year that the data scoop was done in error and voluntarily highlighted, it was handed the CNIL’s maximum fine of €100,000 (£80,700).