28 September 2013

CNIL and Google

Posts in this blog have noted criticism (eg here and here) by European data protection authorities of Google.

Last year those authorities, through France's Commission nationale de l’informatique et des libert├ęs (CNIL), stated that
Google provides insufficient information to its users on its personal data processing operations:
Under the current Policy, a Google service's user is unable to determine which categories of personal data are processed for this service, and the exact purposes for which these data are processed.
E.g.: the Privacy Policy makes no difference in terms of processing between the innocuous content of search query and the credit card number or the telephone communications of the user ; all these data can be used equally for all the purposes in the Policy.
Moreover, passive users (i.e. those that interact with some of Google's services like advertising or ‘+1' buttons on third-party websites) have no information at all.
EU Data protection authorities remind Google and internet companies in general that shorter privacy notices do not justify a reduction of information delivered to the data subjects.
EU Data protection authorities ask Google to provide clearer and more comprehensive information about the collected data and purposes of each of its personal data processing operations.
For instance, EU Data protection authorities recommend the implementation of a presentation with three levels of detail to ensure that information complies with the requirements laid down in the Directive and does not degrade the users' experience. The ergonomics of the Policy could also be improved with interactive presentations.
Google does not provide user control over the combination of data across its numerous services:
Combination of data across services has been generalized with the new Privacy Policy: in practice, any online activity related to Google (use of its services, of its system Android or consultation of third-party websites using Google's services) can be gathered and combined.
The European DPAs note that this combination pursues different purposes such as the provision of a service requested by the user, product development, security, advertising, the creation of the Google account or academic research. The investigation also showed that the combination of data is extremely broad in terms of scope and age of the data.
E.g.: the mere consultation of a website including a ‘+1' button is recorded and kept during at least 18 months and can be associated with the uses of Google's services; data collected with the DoubleClick cookie are associated to a identifying number valid during 2 years and renewable.
European Data Protection legislation provides a precise framework for personal data processing operations. Google must have a legal basis to perform the combination of data of each of these purposes and data collection must also remain proportionate to the purposes pursued. However, for some of these purposes including advertising, the processing does not rely on consent, on Google's legitimate interests, nor on the performance of a contract.
Google should therefore modify its practices when combining data across services for these purposes, including:
  • reinforce users' consent to the combination of data for the purposes of service improvements, development of new services, advertising and analytics. This could be realized by giving users the opportunity to choose when their data are combined, for instance with dedicated buttons in the services' (cf. button “Search Plus Your World”), 
  • offer an improved control over the combination of data by simplifying and centralizing the right to object (opt-out) and by allowing users to choose for which service their data are combined 
  • adapt the tools used by Google for the combination of data so that it remains limited to the authorized purposes, e.g. by differentiating the tools used for security and those used for advertising.
Google does not provide retention periods
Google refused to provide retention periods for the personal data it processes.
The recommendations of the EU Data protection authorities have been sent to Google to allow the company to upgrade its Privacy Policy practices. This letter is individually signed by 27 European Data protection authorities for the first time and it is a significant step forward in the mobilization of European authorities.
Several recommendations are also supported by members of APPA (Asia Pacific Privacy Authorities) and Canada's federal Privacy Commissioner has had similar concerns about various Google activities.
The CNIL, all the authorities among the Working Party and data protection authorities from other regions of the world expect Google to take effective and public measures to comply quickly and commit itself to the implementation of these recommendations.
CNIL has now noted Google's failure to comply with the deadline an enforcement notice.

CNIL appears to be moving towards a formal sanction. The penalty - 300,000 euros ($432,000) - has a symbolic value.

In June CNIL ordered Google to comply with the French data protection law - the 1978 Loi Informatique et Libertes [PDF] - within three months.

In particular Google was to:
  • Define specified and explicit purposes regarding data collection and processing; 
  • Inform users with regard to the purposes of the processing; 
  • Define retention periods for the processed personal data ; 
  • Not proceed, without legal basis, with the potentially unlimited combination of users’ data; 
  • Fairly collect and process passive users’ data; 
  • Inform users and then obtain their consent in particular before storing cookies in their devices. 
Google has been unresponsive.

CNIL states that
On the last day of the three-month time period given to Google Inc., the company contested the reasoning followed by the CNIL, and notably the applicability of the French data protection law to the services used by residents in France. Therefore, it has not implemented the requested changes. In this context, the Chair of the CNIL will now designate a rapporteur for the purpose of initiating a formal procedure for imposing sanctions, according to the provisions laid down in the French data protection law.