Google has signed an Undertaking with the UK’s Information Commissioner’s Office (“ICO”) in which it agrees to amend certain aspects of its 2012 Privacy Policy. The content of the undertaking is interesting, as it provides a guide to the sort of safeguards that privacy regulators now expect to see in privacy policies released by data rich businesses.

One Policy

Google’s 2012 Privacy Policy consolidated approximately 70 different privacy policies which had, until March 2012, existed across the range of services offered by Google. The 2012 Privacy Policy applied to most of Google’s product and service offerings. Unlike the previous privacy policies, the 2012 Privacy Policy was designed to allow Google to combine or pool data collected across all its products and services. In practice, this meant that personal data which was collected through YouTube, for example, could be combined with personal data collected from Google search.

Concerns

This co-mingling of data has attracted the attention of regulators across the EU. In October 2012, the Article 29 Working Party, the collective body of European data protection regulators, suggested that the 2012 Privacy Policy may not be in line with the European Data Protection Directive. In February 2013, the Article 29 Working Party established a taskforce with representatives from the French, Spanish, Italian, German, Dutch and UK data protection authorities. Each member of the taskforce considered the 2012 Privacy Policy’s compliance with its own national laws.

ICO’s Findings

The ICO has found that the 2012 Privacy Policy was not in compliance with the UK’s Data Protection Act. The ICO expressed concern about a perceived lack of easily accessible information describing the ways in which, and the purpose for which, the personal data of users was being processed by Google. The ICO recommended that more should be done by Google to alert users to data processing which would not be within a user’s reasonable expectations. The ICO found that the descriptions currently being provided to users were too vague, especially in relation to the improvement of services, the development of new services and the potential combination of data across services.

Although the ICO acknowledged that progress had been made in its engagement with Google, it also stated that it believed that further action was required. In January 2015, Google provided the ICO with an Undertaking in relation to certain matters, and in return the ICO agreed not to exercise its powers to serve Google with an enforcement notice under the UK’s Data Protection Act 1998.  

Formal Undertaking

Google has agreed, from the date of the Undertaking and for a period of two years thereafter, to implement a number of changes, including the following:

  • Enhance the accessibility and content of its Privacy Policy;
  • Provide clear, unambiguous and comprehensive information regarding its data processing, including an exhaustive list of the types of data processed by Google and the purposes for which it is used;
  • Avoid indistinct language in the Privacy Policy where possible;
  • Ensure that there is continued evaluation of the privacy impact of future changes to processing which might not be within the reasonable expectations of service users so that users are provided with prompt and adequate notice of such processing; and
  • Keep the content of the Privacy Policy and associated web content under review and take appropriate actions so that service users are informed as to the ways in which their personal data may be processed.

Lessons to be learned

The Formal Undertaking entered into by Google provides a good indication of the sorts of factors that EU data protection authorities consider when reviewing privacy policy. The crucial point is that data protection authorities expect a high degree of specificity in the notices that businesses provide to users; generic or open ended disclosures are likely to come under real scrutiny.