EU Seeking Numerous Google Privacy Disclosures, Policy Changes
List of guidelines sets up next confrontation with regulators.
Issued by the pan-European Article 29 Working Group, the guidelines don’t have the force of law. They stand, however, as forceful suggestions to bring Google into compliance with European data protection laws. Individual governments would later enforce the alleged privacy violations, as France has done with its 150,000 EUR (roughly $190,000) fine earlier this year.
Google must meet its obligations with respect to the European and national data protection legal frameworks and has to determine the means to achieve these legal requirements. In order to guide Google in this compliance effort, the Article 29 Working Party has developed guidelines containing a common list of measures that your company could implement. A draft version was presented to representatives of Google on 2 July 2014, at a meeting in Paris in presence of five European Data protection authorities.
- The company does not sufficiently inform its users of the conditions in which their personal data are processed, nor of the purposes of this processing. They may therefore neither understand the purposes for which their data are collected, which are not specific as the law requires, nor the ambit of the data collected through the different services concerned. Consequently, they are not able to exercise their rights, in particular their right of access, objection or deletion.
- The company does not comply with its obligation to obtain user consent prior to the storage of cookies on their terminals.
- It fails to define retention periods applicable to the data which it processes.
- Finally, it permits itself to combine all the data it collects about its users across all of its services without any legal basis.
Below is the letter that includes the specific measures that Europe would like Google to adopt. They represent some significant changes to how Google does business. For example, Google would have to gain users’ consent for Google Analytics data to be passed to publishers and provide an option “for users to disable Google analytics on a temporary or permanent site basis.”
It’s very likely that Google will offer to comply with some but not all the recommendations and try to negotiate a “settlement” accordingly. However the history of this dispute may suggest that no voluntary arrangement can be negotiated. The fines, even in the EU aggregate, that privacy regulators can impose are modest compared with Google’s global revenues.