Google defends new privacy policy to European data regulator

Google has responded in a letter to France's data protection agency over claims it broke EU law with its new privacy policy, plus a few harsh words from the Dutch privacy chief.
Written by Zack Whittaker, Contributor

Google has responded to the European Union's concerns over its new privacy policy, which went live on March 1, after several European data protection agencies hit out at the company for being in possible "breach" of EU law.


Europe's data protection advisory agency, the Article 29 Working Party, called on the search giant to put its new privacy policy changes on ice after local data protection authorities warned of the possible breach.

But it didn't, and potentially left the search giant in a legal pickle in the region.

The Commission Nationale de l’Informatique et des Libertés (CNIL), France's data protection agency, wrote a detailed letter of 69 questions to Google and demanded answers by the end of this week at the latest.

Google replied, and its defence as to why it didn't hold off the privacy policy changes was because it would have proved "confusing to our users", after weeks of notifications that the company was consolidating its policies into a single mega-policy.

But in a style true to its own, the search giant revealed very little about its practices or figures, and effectively gave CNIL the brushoff.

Google hit its three-week deadline for submitting answers with a few days spare, but probably because it only addressed --- though not necessarily answering --- only 24 of CNIL's questions it was asked in the March 16 letter.

A Google spokesperson said it will respond to the remaining questions "by April 15", a few days after the 'deadline' expires.

But immediately as Google responded, Reuters reports that the Dutch data protection authority warned that the policy could lead to Google facing "a range of sanctions". Japanese and South Korean authorities have previously warned that the new policy could breach their local law.

Interestingly, Google sheds light on the matter of Europe's data protection agencies reportedly getting up in arms, by saying that in effect, many did not.

On page 3:

"In Europe alone, we provided pre-briefings to 18 [data protection agencies]. Of course, not all DPAs wanted a pre-briefing. This extensive outreach to regulators has, on the whole, been a constructive process. The feedback offered by the regulators we met was helpful. Significantly, none of the DPAs whom we pre-briefed asked us to “pause” our proposed launch of the Privacy Policy prior to Google communicating these changes to our users."

There are 27 member states of the European Union, and a local data protection authority for each state, leading to the suggestion that Google did not ask all local authorities to reveal its plans.

But the Dutch data protection chief, Jacob Kohnstamm, hit back in a war of words by saying it was not his job to have "a cup of tea and a chat" with companies, and that it was their job to comply with the law that Europe sets out.

"I am not going to give advice to Google and do so on taxpayers' money," he added. Fair play to him.

On to page 4:

"After we had completed our DPA pre-briefings and our extensive, global notification campaign for users (which included sending hundreds of millions of emails to users), the Working Party asked us to "pause" the launch of our Privacy Policy. We realise that the decision not to pause has disappointed the Working Party.

But after such an extensive notification it was difficult to see how such a pause was practically possible. At a practical level, “pausing” would have required us to launch yet another mammoth notification campaign, and would have proved confusing to our users."

Also on page 4, Google questioned under what "legal basis for the Working Party to act as a regulatory body, or to mandate the CNIL to conduct a regulatory review on behalf of 26 other independent DPAs?", which is Google's way of saying, "You can't tell us what to do," and hinting that the Article 29 Working Party acted outside of its brief.

It also points to the discrepancies in definitions across the European 27 member states, something that will be fixed in the upcoming Data Protection Regulation, currently going through the European Parliament.

Google does say that in regards to deleting data, it only delete's user personal data "at their request in line with our back-up and retention policies", adding: "Google’s back-up and retention policies are set to take into account users’ interest in security and business continuity. Such policies would, for example, enable us to restore a maliciously deleted user account."

It did not say how long data is retained for, however, and actively avoided the question on page 15.

The CNIL can issue a range of sanctions at a France-only level, and give the company anything from a week to a few months to change its behaviour. The CNIL's response would not have any effect on a European level, unless the European Commission steps in via the Article 29 Working Party.

More from Google on April 15.


Editorial standards