The French Data Protection Authority (CNIL), known to be one of the most assiduous data protection authorities in Europe, was designated by an EU committee to lead the investigation. The timing of the letter is significant: Next week, data protection commissioners from across the globe will congregate in Punta del Este, Uruguay for an annual convention on international privacy standards and emerging issues in the field of data protection.
The group of 27 data protection authorities, who submitted the letter under the banner of the Article 29 Data Protection Working Party, asked Google to revise its privacy practices in two key areas. They called for more transparency on the collection and use of individuals’ personal data, and changes to the newly implemented policy of combining user data across a range of Google services. On the transparency front, the EU data protection authorities are asking Google to provide clearer and more comprehensive information about what data it is collecting and how that information is being used. The commissioners suggest using “interactive presentations” to help get the message across.
The authorities also charged that Google failed to give European users control over the combination of data from across its numerous platforms, such as web searches, Blogger, YouTube or Gmail. To remedy this, the authorities are asking Google to give users the opportunity to choose when their data will be combined, and to “reinforce users’ consent” to have data about them rolled together from multiple accounts. The commissioners also asked Google to simplify users’ right to opt out of having data about them combined across multiple services.
But not everyone interprets the letter the same way. Privacy expert Simon Davies, writing in a blog post analyzing the EU move, characterized it as a first step toward litigation rather than a mere request:
“The reality is that the letter is an iron fist in a velvet glove. Although camouflaged with words such as “challenge” and “request” the letter clearly opens the litigation terrain to national regulators who will be doing more than “requesting”. Article 29 has created an evidence-based foundation for all regulators to commence legal proceedings.”
While there are a range of opinions on Google’s policy change, it’s clear to us that Google should not create European-specific products apart from their global services. Right now, the strong privacy laws in Europe benefit people all over the world because international companies (like Google) are striving to reach the tough European standards. We see an example of this with data portability, in which companies like Twitter and Google are increasingly providing users with simple ways to access the entire user dossier the company has compiled on them. This concept, which stems in part from data access rights under European privacy law, is increasingly being made available both to users in Europe and, in ripple effect, to people around the world.
So while we encourage the European regulators and Google to continue moving forward in productive conversations, we also remind both Google and European regulators that resolving this disagreement by balkanizing Google’s services won’t benefit users or innovation.