As many of Matron's readers will know, the EU's Article 29 Working Party has called on Google to agree to a "pause" with regard to the introduction of the new policy to give regulators across Europe the chance to review whether the new policy complies with EU data protection law. Google has so far rejected this request, pointing out that it has run the new policy by some (though admittedly not all) of the EU regulators already and that it sees no reason for further delay. It also seems convinced that the new policy does in fact comply with the law.
The Working Party is not so sure and the French data protection authority CNIL has now sent a second letter to Google on behalf of the Working Party in which it sets out its particular issues. A US-EU consumer rights organisation, the Trans-Atlantic Consumer Dialogue (TACD), has sided with the Working Party and written its own letter to Google CEO, Larry Page.
At the heart of the matter are concerns about
- a lack of transparency of the new policy and
- the allegation that Google may has given itself a right to combine personal data collected across all of its services that it did not have before. In particular, CNIL's preliminary investigations seem to show that it is difficult to know exactly which data is being combined between which services and for which purposes.
Combination of data across services
Back in October 2011, Google's policy said:
"We may combine the information that you submit under your account with information from other Google services or third parties in order to provide you with a better experience and to improve the quality of our services. For certain services, we may give you the opportunity to opt out of combining such information."
The new policy reads:
"We may combine personal information from one service with information, including personal information, from other Google services – for example, to make it easier to share things with people you know."
To Matron the main two differences seem to be that:
- under the older version combining data across service was allowed for the specific purpose of "providing you with a better experience and to improve service quality".
- under the old policy, users were given the opportunity to opt out of having their data combined for certain services. That opt-out right now seems to have been removed across the board.
However, the old policy did at least tie the right to combine data to some kind of specified purpose, albeit a big and expansive one. Under the new policy, Google seems to have removed any purpose restriction whatsoever and just given itself the right to combine whatever data it holds about us as it sees fit. As a data protection lawyer, Matron would have to agree with CNIL, that that is at least questionable under EU data protection law which only allows for personal data to be processed (and combining is an act of processing) for specified purposes.Also, in practical terms it would certainly suggest that Google is now doing something (or planning to do, or at the very least give themselves the option to do, something in the near future) that it wasn't doing before. Why else go to this length? As always, we could of course blame incompetence before looking for bad intent, but Google must be able to afford some of the best data protection lawyers in Europe, so maybe we can rule that out.
As for removing the users' right to object to the combining of their data, this is quite an important change and one whose repercussions we cannot yet really assess. For Matron personally, this means, for example, that Google may now technically be permitted to combine the data it collects about her via this blog (which one of it's subsidiaries hosts) with her search history. Because when registering with Blogger, Matron used an e-mail address that includes her real name (more fool her, many of her techie friends will say, but probably something that many other average users would have done as well) and given that this is the same e-mail address she used when opening a Google account, Google as a group of companies (not just as one or two of its subsidiaries) now knows the real name of the person who writes a formerly relatively pseudonymous blog (for Matron's feelings about this sort of thing, see here).The question is, of course, how long it may now take until Google finds a creative use for all this combined data? For example, how long until a Google search for Matron's real name brings up this blog in the search results? Google may say that it has no plans to do this and be quite right at this point in time. But stranger things have happened at sea and on Facebook than an online provider changing its mind, business model or algorithm. They point is that it now can.
Also, and this seems to be the main point of CNIL/WP29 criticism, it could justifiably be said that the new policy has indeed become a lot less transparent for the average user. This is because Google has now basically put up two big buckets:
- In bucket A are all the types of data Google may collect from users of any of its services.
- In bucket B are all the purposes for which Google may process personal data.
Given that in the EU data controllers are under an obligation to tell data subjects specifically in each case what type of data they are processing for what purpose, Google's approach is probably not enough to fulfil its obligation to provide data subjects with the required "fair processing information" as it's know in the trade.
The "conspiracy list" on which this discussion arose consists of around 25 people, learned men and woman all, with backgrounds and tertiary degrees in law, IT, politics and many other cognate areas. After several rounds in the ring, members seemed to be unable to agree on what the new policy actually means. If it is ambiguous enough so that this type of user can't figure it out, the "normal" Internet user (as in most of Matron's examples consisting of a sample n=2, being Matron's and Pangloss' mothers) stand no chance. So, Matron can't help agreeing with CNIL that on the facts, at the very least, the latest development in Googleland warrants closer inspection and maybe the requested "pause".
To Google bash?However, for Matron the most interesting and most frustrating aspect of the discussion on her list was not whether or not Google's latest peccadillo was of sufficient quality to finally taint the "don't be evil" image, but whether or not we, as a group of critical individuals, should be drawn into this affair (and a number of other affairs which involve Google, like, for example, the issues with the security gap in the Safari browser's cookie preferences) in the first place.
The reasons given for "not jumping on the Google-fear bandwagon" went along the following lines:
- We shouldn't get caught up in a campaign to "take down Google", that was effectively organised and financed by a group of competitors.
- There are other organisations who do the same or worse and so we need to be even-handed in our criticism.
- We should focus on the principles and not on individual companies and single cases.
- We should stick to our work and avoid chasing headlines.
That very same group of people has in the past both co-operated with and criticised companies, institutions and organisations like BT, Microsoft, Virgin Media, Phorm, the Information Commissioner's Office, the Home Office, the European Commission, O2, the UK security services, several rightsholders and their associations and even Apple (until recently another "Untouchable") without having had similar discussions about whether or not we should "single them out" for their transgressions. So why was this different?And even if in this case Google's approach is specifically selected for criticism and comment, is this really so unjustified? If a country like, say, the US were to start violating certain human rights - lets assume for a moment that one day they may decide to detain certain undesirable individuals in prisons without a fair trial for an indefinite period of time - would we really bellyache about whether or not we can criticise the US for that just because any number of tin pot dictators all over the world have done the same for decades without us making a big deal about it?
Contrary to all the constant affirmation given to men by women all around the globe, size does matter. Reach matters. And relative and absolute power matters. If a big and powerful country like the US does something that flies in the face of a general feeling of what is right or wrong, this does two things:
- its actions alone are likely to affect a massively larger number of people than the actions of smaller, less powerful countries.
- its actions set a standard that other, smaller and less powerful players will adopt as soon as they get the chance.
The only way to counteract this, is for those of us with the relevant skills to pick them up on any transgressions as and when they happen. We must do this by analysing their actions; by bringing any unlawfulness to the public's and the regulators' attention; by working with regulators and other stakeholders in relation to enforcement and by trying to shape policy designed to address and/or prevent future transgressions.And at no point in this process should we ever ask ourselves, "Should we be doing this because it could be construed as Google (or Apple, or Microsoft) bashing?"