nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

Euro chiefs: Hi Google. Here's how to REALLY protect everyone's privacy. Hello? Hello?

is this thing on? Anyone there?

By Jennifer Baker, 25 Sep 2014

Google cannot expect its users to read the web giant's rewritten Terms of Service to know how their privacy is being handled. That's according to Europe’s data protection chiefs in a letter to Google supremo Larry Page on Tuesday.

The Article 29 Working Party, which penned the missive, is made up of national data protection supervisors from all 28 EU member states, and has been investigating Google’s privacy policy since 2012.

In 2012, Google decided to merge the different privacy rules of 60 of its services including Google Search, YouTube, Gmail, Picasa, Google Drive, Google Docs and Google Maps into a single policy. The working party said this means that “almost ALL European internet users were affected.”

The move prompted several EU data protection authorities to take action against the advertising goliath. In January this year, French authorities fined Google €150,000 and ordered the Californian corp to publish a statement on the decision on the google.fr site for 48 hours.

In Tuesday’s letter – made public on Thursday [PDF] – the data protection chiefs laid out a list of possible measures Google could undertake to bring it in line with EU data protection laws and avoid further sanctions. Because users cannot be expected to read the Terms of Service update, the working party said any new purposes for the collection, processing, sharing or any other use of personal data must be presented in Google’s privacy policy.

According to the party’s guidelines, this policy must be immediately visible and accessible via one click, without scrolling, from each service landing page. It must provide clear, unambiguous and comprehensive information regarding the data processing.

It must give users an address so that individuals can exercise their rights against the company. “This specifically includes the obligation to clearly identify Google as data controller on the YouTube service,” says the Euro bigwigs said.

“Google should avoid indistinct language such as ‘we can’ or ‘we may’, but rather say ‘if you use services A and B, we will’,” continues the text. Consent should be clear, unambiguous and be given before the processing starts, ie before the user can start using the relevant Google service.

The group was also critical of the vague language regarding who can collect data. “Google recently added ‘and our partners’ to the set of entities that may collect anonymous identifiers. However, Google did not inform about what type of entities these partners are and how they will use the collected data,” points out the party.

The group suggests making it easier for users to manage and control the use of their personal data. This could be done by making account dashboards more accessible, with privacy-friendly default settings. The dashboard is only available for authenticated users, but the working party said it should be easy to extend it to passive and unauthenticated users by using cookies.

The watchdogs said these are only guidelines, and there may be other means by which Google could achieve compliance. But there’s no guarantee Google will follow them anyway. Similar suggestions sent by the working party in October 2012 were roundly ignored. ®

The Register - Independent news and views for the tech community. Part of Situation Publishing