The pressure on companies to adapt to stronger privacy regulation and enforcement in the EU increased this week, following the release of a letter to Google on behalf of 30 European data-protection commissioners.
The Asia Pacific Privacy Authorities have also issued a public letter supporting the findings and recommendations of the Article 29 Working Party and stressing that Google, as a market leader, has the responsibility to set a high benchmark for service that others will emulate.
The changes that the authorities are calling for include the following:
- Google should provide a better information to its users on its processing of personal data.
The Working Party concludes that Google’s current policy fails to respect the obligation of transparency as set out in the European legislation.
The Working Party thus asks Google to make numerous improvements, including:
- to provide clearer and more comprehensive information for each type of “processing (e.g. use of data) setting out the purposes and categories of data (implying that privacy policies that set out all categories of data collected under one heading and all types of processing under separate headings are no longer best practice, as the detail needs to be provided on a use by use basis);
- Google should provide a better user control over the combination of data across its services.
The Working Party asks Google to modify its practices when combining data across services, including:
- seek users’ consent to the combination of data for the purposes of service improvements, development of new services, advertising and analytics;
- offer improved control over the combination of data by simplifying and centralizing the right to object (opt-out) and by allowing users to choose the services for which their data can be combined; and
- adapt the tools used by Google for the combination of data so that any use of combined data remains limited to the authorized purposes.
- Google should enforce adequate retention periods.
The Working Party stresses that, despite repeated requests during the investigation, Google refused to provide a maximum or typical retention period for the personal data it processes.
The Working Party thus invites Google to define more clearly the retention period of personal data, especially for the following actions: requests for deletion of content, cancellation of a specific service and deletion of account.