Google is forging ahead with its plan to launch its new privacy and data handling policies this Thursday despite objections from regulators on both sides of the Atlantic.
That’s already happened to Google, which reached a consent agreement with the FTC, because of its privacy violations. They face 20 years of privacy audits.
Back in January the Internet giant said it would combine more than 60 privacy policies into one statement. Google also said that data that had been kept on separate Google services would be combined. The corporate spin was this would improve user experience across all of Google’s sites. Actually, it’s about even better digital dossiers about you and other people who use Google’s services. The data will enable to the company to increase its ad revenue. Remember, you’re not Google’s customer, you are Google’s product.
After Google made its announcement of what I call the new “spy” policy, European data protection authorities sent a polite letter asking that the company delay implementation until the authorities had an opportunity to study the impact of the planned changes on people’s privacy. They said the French data protection authority, CNIL, would lead the investigation
Google, in its usual we-know-better-than-anybody-else mode, stiffed them.
Then 36 U.S. state attorneys general sent a letter expressing their concerns. Several members of Congress voiced objections and wanted an explanation of what’s going on.
While this was all playing out, Jonathan Mayer, Stanford University researcher, discovered that Google was deliberately circumventing privacy settings on the Safari web browser. Making it worse was the fact that Google provided false information about the effectiveness of the Safari settings it was circumventing.
Tuesday CNIL released a letter it had sent to Google that said, “our preliminary analysis shows that Google’s new policy does not meet the requirements of the European Directive on Data protection.” It also said, “The CNIL and the EU data protection authorities are deeply concerned about the combination of personal data across services: they have strong doubts about the lawfulness and fairness of such processing, and about its compliance with European Data Protection legislation.”
And even though Google has claimed that the new “spy” (my word, not theirs) policy is supposed to be more transparent easier to understand, the CNIL disagreed:
“Moreover, rather than promoting transparency, the terms of the new policy and the fact that Google claims publicly that it will combine data across services raises fears about Google’s actual practices. Our preliminary investigation shows that it is extremely difficult to know exactly which data is combined between which services for which purposes, even for trained privacy professionals.”
In the letter the CNIL repeated the request that the new policies be delayed. Google stiffed them again.
It looks to me like the only way to get the Internet giant’s attention will be some serious fines. We have made that case that Google is violating the consent agreement with the FTC. Their could be penalties of $16,000 per violation, per day. The CNIL can impose fines up to $400,000 for a privacy breach. It can also seek court orders to block action that violates data protection law.
Regulators on both sides of the Atlantic need to take meaningful action to halt Google’s willful flouting of the rules.