The findings are made by CNIL on behalf of the EU Data Protection agencies through the Article 29 Working Party and thus have a significance beyond France.
CNIL indicates that the agencies
recommend clearer information of the users and ask Google to offer the persons improved control over the combination of data across its numerous services. [They] wish that Google modifies the tools it uses to avoid an excessive collection of data.
The analysis of Google's answers and the examination of numerous documents and technical mechanisms by the CNIL's experts have led EU Data protection authorities to draw their conclusions and make recommendations to Google.In discussing specifics CNIL is highly critical, stating that
The EU Data protection authorities challenge Google to commit publicly to these principles.
Moreover, passive users (i.e. those that interact with some of Google's services like advertising or ‘+1' buttons on third-party websites) have no information at all. EU Data protection authorities remind Google and internet companies in general that shorter privacy notices do not justify a reduction of information delivered to the data subjects.
The investigation also showed that the combination of data is extremely broad in terms of scope and age of the data. E.g.: the mere consultation of a website including a ‘+1' button is recorded and kept during at least 18 months and can be associated with the uses of Google's services; data collected with the DoubleClick cookie are associated to a identifying number valid during 2 years and renewable.
European Data Protection legislation provides a precise framework for personal data processing operations. Google must have a legal basis to perform the combination of data of each of these purposes and data collection must also remain proportionate to the purposes pursued. However, for some of these purposes including advertising, the processing does not rely on consent, on Google's legitimate interests, nor on the performance of a contract.
Google should therefore modify its practices when combining data across services for these purposes, including: reinforce users' consent to the combination of data for the purposes of service improvements, development of new services, advertising and analytics. This could be realized by giving users the opportunity to choose when their data are combined, for instance with dedicated buttons in the services' (cf. button “Search Plus Your World”), offer an improved control over the combination of data by simplifying and centralizing the right to object (opt-out) and by allowing users to choose for which service their data are combined adapt the tools used by Google for the combination of data so that it remains limited to the authorized purposes, e.g. by differentiating the tools used for security and those used for advertising.
This letter is individually signed by 27 European Data protection authorities for the first time and it is a significant step forward in the mobilization of European authorities. Several recommendations are also supported by members of APPA (Asia Pacific Privacy Authorities) and Canada's federal Privacy Commissioner has had similar concerns about various Google activities.
The CNIL, all the authorities among the Working Party and data protection authorities from other regions of the world expect Google to take effective and public measures to comply quickly and commit itself to the implementation of these recommendations.We might hope that the OAIC will expressly endorse the Article 29/CNIL statement