PARIS – Google’s new privacy policy does not comply with European data protection law, and the company should delay its introduction pending an investigation of the changes, the French data privacy regulator told Google CEO Larry Page in a letter on Monday. But the company said once again that it will press ahead with the new policy, set to go live on Thursday.
The French National Commission on Computing and Liberty (CNIL) wrote to Page to express the concerns of the Article 29 Working Group, an umbrella body for data protection regulators from European Union member states.
Page did not respond directly: The company’s reply was signed on behalf of Google global privacy counsel Peter Fleischer.
The Article 29 Working Group’s chairman, Jacob Kohnstamm, had already written to Page on Feb. 2 asking the company to delay introduction of the new policy, but Google said then it had no intention of doing so.
In Google’s latest refusal to comply, Fleischer said: “We have been keen to meet with the CNIL as lead authority on this matter and have reached out to your office on several occasions both prior to and since receiving Mr Kohnstamm’s letter.”
But, he continued, “Google are not in a position to pause the worldwide launch of our new privacy policy. […] To pause now would cause a great deal of confusion for users.”
User confusion is one of the reasons that CNIL and the other European data protection regulators want Google to reconsider its new policy.
The new policy essentially says that Google will use information from any one of its services to influence the performance of any of the others — so someone’s search results may be influenced by the content of their Gmail messages or the videos they watched on YouTube, or by their contacts, friends and followers across Google services.
CNIL president Isabelle Falque-Pierrotin told Google she welcomed Google’s attempts to streamline and simplify its policies, but said that this should not happen at the expense of transparency or reader comprehension.
“The new privacy policy provides only general information about all the services and types of personal data Google processes. As a consequence, it is impossible for average users who read the new policy to distinguish which purposes, collected data, recipients or access rights are currently relevant to their use of a particular Google service. The fact that Google informs users about what it will not do with the data (such as sharing personal data with advertisers) is not sufficient to provide comprehensive information either,” she wrote.
But beyond usability, there is also the question of whether the new policy is legal. On that point, Falque-Pierrotin was emphatic.
“Google’s new policy does not meet the requirements of the European Directive on Data Protection,” she told Page, before reiterating the working group’s earlier demand that Google suspend introduction of the new policy until the group has finished analyzing it.
That analysis could take time, though. Falque-Pierrotin said that CNIL will send Google a questionnaire about its policy changes, and other aspects of its data-processing activities, by mid-March, and that it will study the policy changes’ compliance with the law “in the following weeks.”
Concern over Google’s policy changes in Europe mirrors that in the U.S., where 36 state attorneys general wrote to Page on Feb. 22 saying that Google’s new policy does not give users sufficient chance to opt out of Google’s tracking.
Google [Nasdaq: GOOG] has said that anyone who doesn’t like the new policy can simply stop using its services — but that won’t be so easy for users of Android phones, who the attorneys general are concerned would find it virtually impossible to stop using Google services while still using their phones.