Oil, and Data
If data is considered the new oil of the 21st century (and it is), then the Internet is the new global pipeline of the global information economy, which all companies are either trying to protect, or tap into through evolving methods and techniques. Facebook, Amazon and Google are (respectively or not) the new Venezuela, Saudi Arabia and Canada. Big data analytics is the new fractional distillation method used by oil refineries to separate hydrocarbons, your personal information, from crude oil. Assuming all of the above to be true, then what are privacy policies, or data protection authorities.
Google’s Privacy Policy
After lightening the mood for the readers in my previous posts, first by discussing a defamation case between a Siberian tiger from Russia and a Chinese snow leopard, then by discussing the philosophical merits of scooby doo and existentialism, its time to get back to business. Google’s new privacy policy has been under the scrutiny of the European Data Protection Authorities since its launch was announced by Google at the end of January 2012. On April 2, 2013, six EU Data Protection authorities (France, Italy, Britain, Germany, Spain and Holland) announced that each will launch separate investigations and enforcement actions against Google on the grounds that its privacy policy is not compliant with the European Directive on Data Protection.
Google unified more than 60 different privacy policies across Google’s services and apps under one single privacy policy that covers almost every Google product and service. In addition, it allowed Google to combine data collected in every service into a single detailed user profile. To give an example, if a user searches for oil refinery through the Google search engine, Google can use this information to suggest videos about oil refining on YouTube.
Among the concerns expressed by the EU towards Google’s privacy policy was its failure to precisely inform the user of the type of data collected, its purposes and its recipients because the policy is too general. As a result, users are unable to determine which categories of data are processed in the service that is used and for which purpose they are processed. The EU also stated that the combination of data requires the unambiguous consent of the user and that this large combination of data is disproportionate and creates high risks to the privacy of the user. Finally, Google has not specified the retention periods for the data it processes, in breach of the Directive.
National Enforcement Actions in Six EU Countries
Google decided not to implement the Article 29 Working Party’s recommendations.
Following a meeting with Google on March 19,, 2013 the national Data Protection Authorities of 6 of the 27 EU Member States announced that each will launch investigations and enforcement procedures against Google. Unlike the initial assessment phase that was coordinated by the CNIL on behalf of the other EU authorities, these investigations and enforcement procedures are not being jointly pursued. Indeed, each national Data Protection Authority has its own procedures, powers and sanctions.
Although the authorities have announced that they will cooperate together, Google will nevertheless face six distinct national procedures, and should they result in divergent decisions, there is no system to reconcile them. One goal of EU data protection reform is to establish a new system of supervision when data processing has an EU-wide impact. Under the proposition for a new EU data protection regulation made by the European Commission in January 2012 and currently under review before the European Parliament, only the Data Protection Authority of the EU country where the company has its main establishment would be in charge of taking legally binding decisions against a non-compliant company (one-stop shop). In addition, mandatory cooperation between national authorities, as well as a consistency mechanism at the EU level, would be implemented to ensure consistency across investigations and enforcement procedures.
Smit LeSieur is a leading Canadian law firm in the area of privacy and data protection, as well as cybersecurity. Areas of practice also include Internet and ecommerce, copyright and trademarks, marketing and advertising, immigration, business law for start-ups, and more. Significant discounts on legal fees apply for certain projects. Visit us at www.smitlesieur.com for more information.
Related articles
- EU data-protection authorities launch joint action against Google (newstatesman.com)
- [Opinion] Google’s collision course with member states (euobserver.com)
- Google gets six-nation probe over privacy policy (pcpro.co.uk)
- Unhappy Google’s Not Changed Privacy Policy, EU Vows Six Individual EU Nations Will Press On (marketingland.com)
- EPIC: EU Takes Action Against Google for Privacy Policy Meltdown (bespacific.com)
- Google facing action over privacy policy flaws (irishtimes.com)
- Google faces action in Europe over privacy policy (mercurynews.com)
- Google Privacy: EU Countries Take Action (news.sky.com)
- Six European countries move against Google over privacy (thenewstribe.com)
- Google ignores privacy pleas of EU data regulators (information-age.com)
