The immediate message is that organisations should tread very carefully in seeking to combine distinct data sets. This message is particularly key for businesses (such as internet advertisers and retailers) seeking behavioural data gleaned from multiple sources and sophisticated personal profiling.
The longer-term question is whether this encounter is the first step in a growing privacy battle, in particular given that the draft EU General Data Protection Regulation is on the horizon.
- In general Google does not demonstrate compliance with the "key data protection principles of purpose limitation, data quality, data minimisation, proportionality and right to object".
- Google has no legal grounds for combining data from many of its services together. To the trained eye, it looks like Google never had regard to, or perhaps chose to "take a view on" abiding by the "conditions for processing" that form part of the first principle of the EU Data Protection Directive.
- Google has failed to provide retention periods for the personal data it processes.
- Google has failed to implement the new cookies laws requiring consent (at least on an implied basis).
Note on CNIL's approach
Before we dive in to the lessons you should take away from Google's position, there is an important point to note.
In reviewing Google's practices, CNIL are looking at the EU's Data Protection Directive (DP Directive) which underpins all 27 EU member state's national laws.
Whilst this regime was meant to achieve a consistent playing field, in practice this is not the case; the German regime is notoriously tough, compared with the UK one as enshrined in the Data Protection Act 1998 (DPA) which is more relaxed and guidance based. The French regime, which will no doubt have influenced CNIL's approach, lies somewhere in the middle.
As a result, what would apply in one country, will not necessarily apply in all of them.
Lessons to take away
- You might hate it, but detail in privacy policies is required. In general, the EU expects "all large and global companies" to "detail and differentiate their processing operations" in full. This point is not to be swept under the carpet in the aim of providing an easy to understand message to consumers. In CNIL's words "companies should not develop privacy notices that are too complex, law-orientated or excessively long. However the search for simplicity should not lead internet companies to avoid the respect [sic] of thier duties".
- Especially for mobile. CNIL advocated specifically adapted tools to convey privacy information to mobile device users.
- Combining "live" data sets together across services and products is not easy to do lawfully. We digest some of the related legal issues in the next bullets.
- Don't forget that use of personal data should be limited to specific and explicit purposes and not used for other, incompatible purposes (principle 2 of the DP Directive / DPA). As a result, you can't be too broad-brush in describing how you use personal data. You also can't chop and change how you use data as you like. For example, data obtained say for payment processing, can't be used for marketing later down the line. Finally, you also need to keep the data used for 1 purpose, distinct from data used from other purposes. This issue effectively prevents data-gathering techniques which cut across purposes e.g if you use 1 cookie for lots of purposes chances are you have no segregation by purposes in your related data, as compared to 1 cookie per purpose which allows for segregation.
- The only way around the purpose restriction is to go back to your original user base and get consent to any change or blurring of the lines. Many businesses choose to "take a view" in this area, in particular in the UK due to the Information Commissioner's Office's (ICO) relatively benign stance to date. Google look like they may be among the first to fall foul of the rules in failing to do so.
- What are the relevant purposes? Identifying what purposes are relevant, and their breadth is not necessarily easy. CNIL has indirectly provided some guidanace on this issue, by identifying 8 in the case of Google. They are: (1) the provision of services where the user requests the combination of data e.g. Gmail, Contacts (2) the provision of services requested by the user when the combination of data applies without the user's direct knowledge e.g. search results and web personalisation, (3) security, (4) product development and marketing innovation purposes, (5) the provision of Google's Account (6) advertising, (7) analytics and (8) academic research.
- Don't forget the "conditions for processing" (part of principle 1 of the DP Directive / DPA). These are often overlooked in our experience. As explained in an earlier post on our blog, you have to make sure that each use of personal data fits within one of a number of statutory conditions. The most commonly used is the so-called "legitimate business interests" condition. In summary, this permits personal data to be processed where you have a legitimate business interest in doing so, but you have to take into account the interests of your users as well. CNIL consider Google to have gone too far to fit within this condition because of the vast extent of the combined data Google would have at its disposal, which on balance means the interests of its users are being disproportionately prejudiced. Few businesses will be in the same position as Google, but it is worth remembering that there are not many other conditions open to commercial businesses. For example, it is difficult to argue that combining databases en masse is "necessary for the performance of a contract" (another of the conditions) when you have been able to service those contracts beforehand without aggregated data. In this situation only the most unpaletable condition is left: obtaining end user consent to your intended use.
- Don't forget proportionality (part of principle 3 DP Directive / DPA). We've already touched upon this issue in point 6. It is a theme running through many elements of the DP Directive and DPA, but is, in effect, expressly written in to principle 3 DPA which requires that all personal data used be "adequate, relevant and not excessive" for the purpose for which it is intended. CNIL felt the amount of data Google collected exceeded the acceptable boundaries set by this principle.
- It is an uncomfortable truth, but IP addresses are personal data when relevant to identification of individuals from the crowd. This position is in line with existing guidance from the Article 29 Working Party, the EU's main guidance body on data protection matters.
- You need to comply with the new cookies laws which came in earlier this year, requiring consent to placement and access of cookies. CNIL have pulled Google up for not complying regarding its DoubleClick, +1 buttons or Analytics services. Interestingly, CNIL challenge Google on this basis only around "third party websites" though. CNIL appear to be saying the duty to obtain consent falls on Google, not on the provider of each site which uses Analytics, DoubleClick ad targeting etc.
- Cookies can generate personal data. The new EU cookies laws which came in earlier this year are here to stay, but compliance with them (in itself disliked by many) is only part of the picture. You still need to analyse what data you derive from cookies, how you use it, and in particular, whether you link it to other personal data or it enables you to identify individuals, making it personal data and triggering the need to comply with the DP Directive and DPA.
- You need to implement a retention policy, covering archiving, anonymisation (easier to say than do) and ultimately deletion of personal data. This obligation does not sit easily with the power of "big data" analytics and business' related desire to hang on to everything it gathers for as long as possible and analyse it continually for useful intelligence. Google did not offer a response to CNIL's questions in this area.
- You need to treat location data, device IDs, telephony data and biometric info as being particularly sensitive. In CNIL's words, all these heads have a "significant impact on users". Google had to come up with additional, precise information for users about how this data would be used.
- A business can only hope to comply if it is completely open and honest internally... Your developers, commercial leads and marketing teams all need to know what each other is thinking, doing and planning on doing going forward, and appraise your legal advisors of this position in full. All too often we see business departments pulling up drawbridges, skirting over unpaletable truths and being "too busy" to discuss details or compliance issues. Such behaviours will send you down an uncomfortable, and potentially non-compliant road.
- ...and puts in the required time and effort. You are not going to be able to dance through the above and come out compliant and smiling in the blink of an eye. All too often we see privacy compliance issues parked 'till the end of a project, or even dealt with as an afterthought. This is too late. Privacy needs to be on the radar at the outset, and assessed every step of the way, in particular at the stage where initial design ideas start to harden into set options, and detailed requirements gathering commences. This can be especially difficult to achieve in an agile development environment where approaches can evolve rapidly.
- Consider engaging directly and pro-actively with your DP regulator. CNIL actively encouraged Google to do this going forward. We would support this as a general rule. In our experience in the UK, the ICO will provide ad hoc, project-specific guidance which can be of real benefit. If you are going to do this though, you need to make sure you time it appropriately. You need to have progressed your project sufficiently to understand the issues and your take on them, but not have gone so far down the line so that changes are very difficult and expensive to accomodate. Fundamentally, you also need an open mind and receptive attitude; such discussions are best approached in spirit of collaboration and not with the expectation that your preferred view will be fully endorsed.
The fighting may not be over
CNIL have given Google 3-4 months to comply with their recommendations. Otherwise they will seek sanctions against Google.
We await Google's detailed response with interest. CNIL acknowledged in their letter to Google that its practices "do not differ from other US internet companies", so the EU may be squaring up not only for a fight with Google, but also the wider US internet industry as a whole.
It remains to be seen whether this encounter will turn out to be just another skirmish or the first broadside in the battle over the shape of global privacy compliance for the next decade.
Either way, a showdown is looming on the horizon in the form of the EU's draft General Data Protection Regulation. The Regulation will aid large multinational companies in simplifying into one the present mis-mash of 27 EU member state data protection regimes, but will also substantially increase their duties and the consequences of making mistakes.
CNIL's letter to Google and main recommendations can be read here.This information is intended as a general discussion surrounding the topics covered and is for guidance purposes only. It does not constitute legal advice and should not be regarded as a substitute for taking legal advice. DWF is not responsible for any activity undertaken based on this information.