Google defends new privacy policy to European data regulator

Google defends new privacy policy to European data regulator

Summary: Google has responded in a letter to France's data protection agency over claims it broke EU law with its new privacy policy, plus a few harsh words from the Dutch privacy chief.


Google has responded to the European Union's concerns over its new privacy policy, which went live on March 1, after several European data protection agencies hit out at the company for being in possible "breach" of EU law.

Europe's data protection advisory agency, the Article 29 Working Party, called on the search giant to put its new privacy policy changes on ice after local data protection authorities warned of the possible breach.

But it didn't, and potentially left the search giant in a legal pickle in the region.

The Commission Nationale de l’Informatique et des Libertés (CNIL), France's data protection agency, wrote a detailed letter of 69 questions to Google and demanded answers by the end of this week at the latest.

Google replied, and its defence as to why it didn't hold off the privacy policy changes was because it would have proved "confusing to our users", after weeks of notifications that the company was consolidating its policies into a single mega-policy.

But in a style true to its own, the search giant revealed very little about its practices or figures, and effectively gave CNIL the brushoff.

Google hit its three-week deadline for submitting answers with a few days spare, but probably because it only addressed --- though not necessarily answering --- only 24 of CNIL's questions it was asked in the March 16 letter.

A Google spokesperson said it will respond to the remaining questions "by April 15", a few days after the 'deadline' expires.

But immediately as Google responded, Reuters reports that the Dutch data protection authority warned that the policy could lead to Google facing "a range of sanctions". Japanese and South Korean authorities have previously warned that the new policy could breach their local law.

Interestingly, Google sheds light on the matter of Europe's data protection agencies reportedly getting up in arms, by saying that in effect, many did not.

On page 3:

"In Europe alone, we provided pre-briefings to 18 [data protection agencies]. Of course, not all DPAs wanted a pre-briefing. This extensive outreach to regulators has, on the whole, been a constructive process. The feedback offered by the regulators we met was helpful. Significantly, none of the DPAs whom we pre-briefed asked us to “pause” our proposed launch of the Privacy Policy prior to Google communicating these changes to our users."

There are 27 member states of the European Union, and a local data protection authority for each state, leading to the suggestion that Google did not ask all local authorities to reveal its plans.

But the Dutch data protection chief, Jacob Kohnstamm, hit back in a war of words by saying it was not his job to have "a cup of tea and a chat" with companies, and that it was their job to comply with the law that Europe sets out.

"I am not going to give advice to Google and do so on taxpayers' money," he added. Fair play to him.

On to page 4:

"After we had completed our DPA pre-briefings and our extensive, global notification campaign for users (which included sending hundreds of millions of emails to users), the Working Party asked us to "pause" the launch of our Privacy Policy. We realise that the decision not to pause has disappointed the Working Party.

But after such an extensive notification it was difficult to see how such a pause was practically possible. At a practical level, “pausing” would have required us to launch yet another mammoth notification campaign, and would have proved confusing to our users."

Also on page 4, Google questioned under what "legal basis for the Working Party to act as a regulatory body, or to mandate the CNIL to conduct a regulatory review on behalf of 26 other independent DPAs?", which is Google's way of saying, "You can't tell us what to do," and hinting that the Article 29 Working Party acted outside of its brief.

It also points to the discrepancies in definitions across the European 27 member states, something that will be fixed in the upcoming Data Protection Regulation, currently going through the European Parliament.

Google does say that in regards to deleting data, it only delete's user personal data "at their request in line with our back-up and retention policies", adding: "Google’s back-up and retention policies are set to take into account users’ interest in security and business continuity. Such policies would, for example, enable us to restore a maliciously deleted user account."

It did not say how long data is retained for, however, and actively avoided the question on page 15.

The CNIL can issue a range of sanctions at a France-only level, and give the company anything from a week to a few months to change its behaviour. The CNIL's response would not have any effect on a European level, unless the European Commission steps in via the Article 29 Working Party.

More from Google on April 15.


Topics: Government US, Google, Government

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • the EC is short sighted

    and by objecting to google is destroying jobs in Europe.
    The Linux Geek
  • Torn between here

    I am torn here. Between Google's intransigence, their total lack of "privacy" concerns for their users and their intrusive data mining versus CNIL's overall meddlesomness and protectionist attitude against American companies. It's like having to choose between cheering for Dick Dastardly or Snidely Whiplash.
    Your Non Advocate
  • Typical Bureaucrat

    [quote] But the Dutch data protection chief, Jacob Kohnstamm, hit back in a war of words by saying it was not his job to have a cup of tea and a chat with companies, and that it was their job to comply with the law that Europe sets out.

    I am not going to give advice to Google and do so on taxpayers money, he added. Fair play to him. [/quote]

    Let's see, there are 27 DPAs in Europe alone, and you have a multi-billion dollar corporation asking for your feedback as it applies to your country and DPA. They are asking for assistance in understanding [b]local[/b] laws and regulations, which is your (Kohnstamm) job to assist. So when said DPA [i]doesn't[/i] respond or assist, and Google interprets the law to the best of their lawyer's abilities, now he's in a snit that Google pressed on?

    Typical civil [s]master[/s] servant mindset...
  • This is no different than the USA "Privacy Act"

    Back when the US Social Security Number was starting to be used by the US Government to identify you for EVERYTHING it does, Congress pass the Privacy Act that states, in effect, that you NEVER have to give out your Social Security Number to the Government or any private company and it is not to be used for identification at all. However, each and EVERY government agency then wrote the rules to state that stated in effect "You do not have to give us your SS number, however failing to provide it means we cannot provide you with any service you are entitled to." So it is effectively useless and you must ALWAYS provide a SSN to get anything (bank account, travel, passport, driver licnese, taxes, marriage etc etc.)

    Google is doing the SAME THING. You do NOT have to agree to their privacy rules - but if you don;t then we will NOT provide you with any services at all you want to use.

    They are following the SAME EXACT LEAD as the Federal Government - and no one has ever stopped them from demanding the release of your SSN in order to get service; so Google has a SOLID standing to use the same rules as the US Government for THEIR privacy rules.

    The UE is just trying to extort money from Google like they do for any company that has more money than the EU since they really provide no service for the money they spend.