Google offers a wide range of services including the following: Google search, Maps, YouTube, Gmail, Google Earth, Reader, Mobile, Chrome and Reader. 

Google announced its new privacy policy on 24 January 2012 and this sparked initial concern from the Article 29 Working Party.  The Article 29 Working Party was set up under the EU Data Protection Directive (95/46/EC) to act as an independent European advisory body on data protection and privacy issues.  The Working Party’s concern was to verify whether and how this new policy would comply with the European Directive on Data Protection.  The Working Party requested that Google pause before introducing this new policy and appointed the French data protection authority CNIL to lead an investigation into the policy’s compliance.  Google refused to pause and confirmed that the policy would be introduced on 1 March 2012. 

CNIL’s preliminary analysis of the policy raised concerns that it might indeed not comply with the EU Directive for the following reasons:  The general information provided by the policy did not satisfy Articles 10 and 11 which require a purpose-specific wording to ensure transparency for account users.  Currently it is difficult for users to know exactly which data is being combined between which services and for what purposes, which raises doubts about the lawfulness and fairness of processing and thus compliance with Articles 6 and 7.  Additionally, Article 5 of the E-Privacy Directive requires a search engine to obtain user consent for the use of cookies to obtain data, Google uses cookies (as well as other tools) to obtain data and it is not clear how they intend that the new policy will comply with the principle of specific consent in Article 5(3). Please click here.

CNIL also explained its concern that Google did not take a real opportunity to consult the authorities prior to the announcement of the policy.  Not all authorities were informed, and those that were only heard about the changes a matter of days prior to the announcement which the CNIL observes prevented constructive feedback.  It should be noted that although Google did contact account users in the UK prior to the changes, a recent survey run by Big Brother Watch (a British privacy advocate) shows that only 12% of Google service users have read the policy and 47% of those surveyed were unaware of the new privacy policy.

What does the new policy mean for someone using any of these services?  Whenever an account holder uses a Google service they are leaving personal data that will be amalgamated with data obtained from other services they have used, giving Google a fuller picture of their interests, location, music preferences, shopping needs, friends etc.  A Google account user cannot opt out of the privacy policy itself unless they stop using Google services.  It is however possible for users to opt out partially from at least the data combination and preference advertising by:

  • disabling Web History.  This will not prevent Google from gathering and storing data and using it for internal purposes.  It does however prevent the information gathered from a user’s searches being combined with data from other services and means that it will be made partially anonymous after 18 months.
  • using Google Dashboard to edit advertisement preferences.  Using the Ads Preference Manager a user can either choose which type of adverts they receive by selecting categories, or can click ‘opt out’ to prevent tailored adverts altogether.  This opt out does not stop or reduce the adverts a user will be exposed to it simply ensures that adverts are not customised.  Importantly this ‘opt out’ does not stop the amalgamation of data across Google’s services or stop information being stored.
  • logging out.  An account user can log out of their account and then use the Google services to avoid being tracked or use separate accounts for different services.  This however makes for a clumsy, less user friendly service.
  • blocking cookies.  By blocking cookies the user will not leave a data trail; this may cause problems in using the services.

Even if users take the measures listed above Google can release that personal data to external bodies in certain circumstances which are listed in the policy itself.  For example, Google can release a user’s data when it ‘is reasonably necessary to meet any applicable law, regulation, legal process or enforceable governmental request’.

It is worth noting that Google services are free for users because they are paid for by advertisements.  An important objective of the recent changes in Google’s privacy policy is for Google to sell advertising and more effectively leverage its power in the information gathering area  into selling power in the advertising market.

Users and user groups are concerned at the data map the company will have, describing, analysing and identifying them in considerable detail despite Google’s claims that the new process streamlines and simplifies its privacy policies.  CNIL flags that this simplification is welcome but should not be done at the expense of transparency and comprehensiveness for users.  CNIL’s investigation into the policy continues.