On 1 March 2012, Google updated its terms of service and consolidated its privacy policies into one single privacy policy, enabling Google to aggregate users' personal data from across all of their accounts and services including Gmail, Google+, YouTube and its search engine.

The Article 29 Working Party (an advisory body that represents data protection authorities in the EU) expressed concerns about Google’s compliance with EU directive 1995/46/EC (“Data Protection Directive”) under its new unified policy and asked the French data protection regulator, the Commission nationale de l'informatique et des libertés (“CNIL”), to lead an investigation into Google's new single privacy policy on behalf of the national data protection authorities of the EU member states in order to determine whether it was in fact compliant with the Data Protection Directive.

On 16 October 2012, the CNIL published its report on this matter, which has been endorsed by all of the EU member state data protection authorities (with the exception of Greece, Romania and Lithuania).

The report’s main findings were as follows:

Information

Google failed to comply with the information requirement set out in Articles 10 and 11 of the Data Protection Directive by providing insufficient information to its users on its personal data processing operations. Under its current policy, a Google services user is unable to determine which categories of personal data are processed and the exact purposes for which this data is processed.

The CNIL recommended that in order to comply with the Data Protection Directive, information provided to users must describe the purposes and categories of data processed in a clear and accurate manner, detailing for each processing the exact purposes and data collected (including data from other services). The CNIL further recommended that Google define an architecture of privacy notices (to include in-product privacy and interstitial notices, its current privacy policy and productspecific privacy notices) and develop interactive presentations to allow users to explore the content of the privacy notices without having to read long, linear documents.

Combination of data services

The CNIL identified a total of eight different purposes for the combination of data across Google’s services; in four of those, the CNIL was unable to establish a valid legal ground for processing personal data (namely “consent”, “performance of a contract” or “legitimate business interests”) for the combination of data across services. In particular, the findings reiterated that Google could not rely on user consent in cases where the user is unaware of the exact extent of the combination of the data.

To comply with the Data Protection Directive, the CNIL recommended that where data combination requires a legal basis, Google should adopt a “privacy by design” approach (anonymisation, simple opt-outs and retention periods). Where data combination requires user consent, Google must seek the explicit consent of its users and make opt-out mechanisms available in one place.

Retention period

Google was unable to provide information on a maximum or typical retention period for the personal data it processes. This in turn raised questions as to the effectiveness of the opt-out mechanisms and deletion actions requested by users.

The CNIL recommended that retention periods should be clearly defined, particularly in relation to deleting content, unsubscribing to a specific service and deleting users' accounts.

WAB Comment:

Online providers should note that the report’s findings have interpreted the existing data protection obligations under the Data Protection Directive in a relatively restrictive manner. The report has highlighted that privacy policies should be comprehensible, transparent and easily accessible to users. Moreover, online providers should ensure that any opt-outs of specific uses of personal data are easily locatable by users and should provide additional information to users about the use of any data that has a significant impact on the user’s privacy, such as location data, credit card data and unique device identifiers.