We love Google, but does Google love us?

This article looks at what's happening with Google (besides global domination) following on from the pan-European investigation led by the French data protection regulator into Google's updated privacy policy (basically, Google had unilaterally updated and consolidated its privacy policy to provide uniformity to users of its different products and services).  

What's Happening? 

The UK regulator has now confirmed that it has written to Google to confirm that its privacy policy doesn't comply with the Data Protection Act and requiring changes to be made by 20 September if Google is to avoid formal enforcement action.  The ICO's key concern (as with the other data protection authorities who are taking action against Google) is that the consolidated policy doesn't provide sufficient information to enable UK users of Google's service to understand how their data will be used across all of Google's different products and services.  The French and Spanish data protection authorities have made similar complaints to Google (and far more vehemently in the case of the French regulator).

Why Does it Matter? 

Well, for lots of reasons really:

  • It demonstrates that even the big guys with access to huge resources and with access to cutting edge technology get data protection basics wrong (this isn't a view shared by Google, who maintain that their policy and the changes which have been made to it are compliant with European data protection laws).
  • The open battle with Google is sending out a clear message to all organisations that privacy regulators are particularly concerned about those organisations with access to vast amounts of user data secured through the provision of 'free' services with the potential for misuse of such data and abuse of the customer relationship through an imbalance between the organisation and the individual (often through the individual's reliance or dependency on 'free' services accessed through a common platform - a risk which is heightened when the way in which the individual's data is being used and shared isn't transparent or changed without the individual's consent) - this is a concern shared by the European Commission and a key driver behind the new European data protection laws.
  • The ongoing battle with Google demonstrates a level of co-ordination between European regulators which we haven't really seen before, but its a sign of things to come as and when European data protection laws are overhauled

What Next? 

That's an interesting question, as so far, Google has taken an extremely belligerent approach to the concerns expressed by the privacy regulators (having effectively ignored the changes requested by the French regulator to date).  This investigation together with the enforcement action which has been taken in Europe and the US in relation to Google's Street View issues (Google having collected payload data without consent from wi-fi networks including individual e-mail addresses, URLs and passwords - deletion of which has been mandated by the ICO) is very much in the public eye and is causing some reputational damage to Google.....but it remains to be seen whether the negative publicity and prospect of formal enforcement action is enough to see Google change its view on its privacy policy. 

Why Should I Care?  

The bigger issue is that Google isn't alone in having consolidated its privacy policies following merger activity or the consolidation or diversification of products, services and channels.  It also isn't alone in developing a privacy policy which European regulators' would see as providing insufficient transparency to individuals.  In short, we expect to see sustained regulatory focus on privacy policies (and helpfully, the privacy regulators across the world have told us so)!

This information is intended as a general discussion surrounding the topics covered and is for guidance purposes only. It does not constitute legal advice and should not be regarded as a substitute for taking legal advice. DWF is not responsible for any activity undertaken based on this information.