23 December 2013

Google's online pain in Spain

Posts in this blog and other writing (e.g. here) have noted increasingly expressions of discontent by European privacy regulators about Google and Facebook.

This week the Agencia Española de Protección de Datos (AEPD) - the Spanish Data Protection Agency - has imposed an aggregate €900,000 penalty on Google after concluding that
  • users were insufficiently informed that Google filtered the content of their emails and files to display advertising and, when it did it, used a terminology that was imprecise, unclear and with generic expressions
  • Google was breaking the law by using data it gathered for purposes that are unspecified and keeping this information for an indefinite time, while sometimes hindering users in their right to erase, access or modify this data.
The AEPD statement [PDF] indicates that
 Google unlawfully collects and processes personal information of both authenticated (those who log in their Google accounts) and non-authenticated users, as well as of those who act as "passive users" because they have not requested Google’s services but access to web pages that include elements managed by the Company. 
As a result, the Agency considers that Google seriously violates the right to the protection of personal data laid down in article 18 of the Spanish Constitution and regulated in the LOPD. 
AEPD’s inspection has demonstrated that Google collects personal information through nearly a hundred of services and products offered in Spain, in many cases not providing adequate information about what data is collected, what data is used for what purposes and without obtaining a valid consent of the data subjects. For example, Google does not inform clearly to users of Gmail that the content of mails and attached files is filtered with the aim to insert tailored advertising. Where Google does inform it uses vague terminology, with generic and unclear expressions that prevent users from knowing what they really mean. It is highly illustrative that in eight pages of its Privacy Policy, Google employs on up to 30 occasions terms such as 'we could', 'may', 'might' or "it is possible". In addition, Google uses highly ambiguous expressions to define the purposes of data processing, such as "improving user’s experience". The result of that approach is an indeterminate and unclear Privacy Policy. The lack of adequate information, particularly about the specific purposes justifying the processing of data, renders meaningless a consent that in order to be valid should be specific and informed. 
On the other hand, Google combines the personal information obtained through the different services or products in order to use it for multiple purposes that are not clearly determined, thus violating the prohibition to use data for purposes other than those for which it was collected. This combination of data across services that allows Google to enrich the personal information it stores, exceeds the reasonable expectations of the average user, who is not aware of the mass and transversal nature of the processing of their data. Acting in this way Google uses a sophisticated technology that exceeds the capacity of the majority of users to make conscious decisions about the use of their personal information so that, in practice, they lose control over it. 
Contrary to the provisions of Spanish law, Google stores and maintains data for periods of time indeterminate or unjustified, thereby contravening the legal mandate to cancel data when it ceases to be necessary for the purpose which determined its collection. The conservation of the data indefinitely, beyond the requirements arising from the purposes alleged at the time of collection, constitutes unlawful data processing. 
Finally, the AEPD concludes that Google hinders - and in some cases prevents - the exercise of the rights of access, rectification, cancellation and opposition. The procedure that citizens have to follow to exercise their rights or to manage their own personal information requires them to access to an undetermined number of web pages, scattered in several links, that are not available for all types of users and, occasionally, with denominations that do not always refer to its real object. The Company itself recognizes that users must run at least seven different processes, and reserves the right to not respond to requests involving "a disproportionate effort".
The Dutch data protection agency reached a similar conclusion last month but as yet has not imposed a penalty; Spain is the first nation to act, with the various regulators taking turns.