En Garde! The French DP Regulator Flexes Its (Puny) Muscles. Google Looks On

Google is in the spotlight again. On 27 September the French data protection regulator (CNIL) confirmed that, since Google has done nothing to comply with CNIL's request back on 20 June to amend its data protection practices, and in particular the consolidated privacy policy it rolled out in 2012, CNIL is bringing enforcement proceedings.

We look at the lessons for privacy policies and practices in Europe.

The showdown is looming

Before we go into any detail, it is interesting to put the law to one side and talk about the "real" world.

Google is big and powerful.

CNIL's powers include the right to levy fines, but anecdotally this power is puny. Google supposedly makes enough money in 10 minutes to pay the maximum fine CNIL can levy. Whether or not this position is actually true, it gets the message home; from a financial point of view this arguably feels like a battle between David & Goliath.

Google is more likely to be concerned about damage to its reputation. That said, it would not come as a surprise if Google sees CNIL as something of a minor irritation in this area, given the global profile of its brand.

Things might get interesting if CNIL has the power to force Google to change its ways under French law - e.g via a court injunction for breach of statutory duty or similar - if so, this sanction has more teeth.

We suspect Google is looking for a such a day in court. The main benefit would be certainty and closure of these issues or at least a clear way forward for its business in France. It would also be pursuasive in any other EU proceedings it might face on the same issues (both Germany and the UK, amongst others, are looking at the position).

What is at stake?

Quite a lot.

Google are the masters of all things data. In very broad terms, their model is based on getting people to use the web - in particular, but not necessarily their services - and then combining the reams of data they can obtain from this use to improve their services and power the source of their revenue, paid search and advertisting.

CNIL recognises this position. Their criticisms strike at the very heart of Google's practices, in particular Google's combination of data from disparate sources.

This public squabble is of course underpinned by the effect of French legislation implementing the current EU Data Protection Directive.

The relevant concepts are vague and woolly; the available guidance from the EU's Article 29 Working Party (A29WP) does not have the force of law, and "compliance" is, as a result, very open to subjective interpretation.

CNIL has one view; Google another. Who is right? This question is ultimately one for a court.

So what have Google actually been pulled up for?

Taking CNIL's side of the story and paraphrasing slightly:

1. Ambiguity in their privacy policies

In CNIL's view, Google uses broad and ambiguous terms in its privacy policy. In fact, CNIL go so far as to call Google's policy "evasive". "An individual cannot anticipate the scope and content" of the services Google offers, or the impact of their combination.

In CNIL's view this position is contrary to the 2nd data protection principle, which requires all purposes for which personal data is used to be clearly set out.

The conundrum here is the scale of Google's business. It formerly had over 60 different privacy policies, once for each of its service lines. Having one consolidated one makes things simpler for consumers and for a business to administer. Most organisations would be sympathetic to Google's aims in this area.

CNIL's point seems to be that the desire to keep things simple should not come at the expense of consumers being able to understand and make informed choices about what is actually happening to their data.

2. Lack of retention practices

CNIL's investigations appear to have uncovered that Google does not have a set period of time after which it deletes, amongst other things, all data collected from a user who had an account or who added content to one of its services, when that user later deletes that account or content.

In CNIL's view this position is contrary to the 5th data protection principle, which in effect requires all personal data to be deleted once it is no longer needed for the purposes for which it was obtained.

3. No consideration has been given to people's legitimate interests

This point is a technical legal one.

To be lawful, all use of personal data in the EU must satisfy one of a number of conditions.

According to CNIL's analysis, Google can only rely on one of these conditions to combine data for the development of future services; the so-called "legitimate interests" condition.

This condition basically says that in general personal data can be used for any "legitimate" (e.g lawful) business interests provided an organisation considers and implements practices to uphold the rights and interests of individuals as well. In other words, an organisation has to balance its own interests against those of the individual.

In CNIL's view, Google has not done so because there is no effective means of a person being able to opt their data out of a new practice or service, if Google wants to do something with it in future to which that person objects. In that sense, Google are persuing their own interests, but ignoring those of the people whose data they hold.

4. Insufficient information for cookie consent

This point is a bit left-field from a UK practice point of view.

CNIL have pulled Google up for not providing enough information about its cookies on third party websites.

In CNIL's view, Google have a responsibility to ensure every website user "consents" to its cookies (as required by the new cookie laws which were rolled out across the EU last year), even when those cookies are placed through a website which is not controlled by Google e.g because its owner has chosen to use Google maps, Analytics or a Google +1 button.

UK practice to date is largely to treat such issues as a problem for the website owner.

An interesting aside is the fact that CNIL considers the collection of data by Google via cookies in general to be "personal data" regulated by the EU's Data Protection Directive. CNIL don't go into technical details, but do say that Google has the power to identify individuals even when they don't have a Google account.

CNIL's action is yet another warning; cookie-derived may not be as "anonymous" and unregulated as many US-organisations and digital media businesses would want you to believe.

So what does all this mean for the rest of us? 

Firstly, we have to say that under the current system of EU data protection regulation, what happens in France is not necessarily what happens in the UK. We have separate legislation implementing the common EU Data Protection Directive, and a separate regulator who takes a separate approach.

As alluded to above, the UK data protection regulator, the Information Commissioners Office, is already investigating Google for the same practices as those considered by CNIL, and the time for Google's response in the UK has also expired. We await developments.

Putting such legal niceties aside though, it is fun to draw conclusions from what our friends over the Channel have said:

  • The days of being ambiguous in privacy policies may be numbered. The more specific you are, the better. You can't hind behind the complexities of your business, myriad of service lines, breadth of activities or scale of your ambitions. A privacy policy should be an accurate snapshot of what you do with data now. If that picture needs to change; you should change your policy - but beware that this could require you to get consent from your entire user base, and for those who do not consent, provide the ability for them to opt their data out.The catch is how to do this accurately given the compexities of modern business, without bamboozling the people who actually bother to read your privacy policy.
  • However difficult, complex or unpaletable it may be, you must delete the personal data you obtain eventually. This practice is, at best, hard to do given the complex uses to which data can be put by a modern business, and in our experience many organisations are bad at it. It feels like a mountain to climb. Some bits of data might have to be kept for legal or statutory purposes, others bits can be dropped more quickly: identifying which bits fall into which category and then making sure you don't make a mistake in deleting the wrong bit is not easy or cheap.
  • If you want to do new and clever things with data, you probably need to give the people affected the right to "opt-out" (ie. take their data out of scope completely)
  • Treat cookie-derived data as personal data regulated by the Data Protection Act 1998 unless you have very, very clear justification to the contrary
  • if you run a network or service which relies in part on putting cookies or similar trackers on user machines via third party sites, you should make sure those sites carry legal cookie notices about your practices that you have vetted, or even better, mandated.

More generally:

  • We have a really good insight into how the operation of the EU privacy regime could be improved if the much delayed draft EU Data Protection Regulation is ever passed! One of its key tenets is the creation of a pan-European system in which all national privacy regulators will align their approach, and investigations will be made by one lead regulator, not lots of separate ones. In principle this regime should be simpler and easier to understand for all concerned, although it does cede some national rights, and may force the UK towards the (typically tougher) standpoint of many EU member states.
  • It is clear why the EU are after far tougher sanctions in the draft EU Data Protection Regulation (e.g. fines of up to 2% of global turnover). If such a regime operated now, would Google be acting in a different, more conciliatory manner? We suspect so.
This information is intended as a general discussion surrounding the topics covered and is for guidance purposes only. It does not constitute legal advice and should not be regarded as a substitute for taking legal advice. DWF is not responsible for any activity undertaken based on this information.