Europeans, EPIC Bring More Scrutiny To Google Privacy Changes

The controversy surrounding Google’s privacy policy changes continues on both sides of the Atlantic. The European Commission wants to look more closely at Google’s new, consolidated policy before it goes into effect on March 1, 2012. Meanwhile, back in the US, the Electronic Privacy Information Center has initiated a Freedom of Information Act (FOIA) request to obtain a copy of a privacy report Google filed pursuant to its settlement with the FTC over Google Buzz.

EPIC believes that the new Google Privacy Policy may violate the terms of the Buzz Settlement. In its FOIA request EPIC says that the “consolidation of information creates a number of security and privacy concerns reminiscent of those brought about by the introduction of Google Buzz”:

The Google Buzz-FTC settlement requires the company to obtain user content before sharing information with third parties. However it doesn’t appear to bar Google from using information internally. In addition, the settlement “requires Google to establish and maintain a comprehensive privacy program.” Google would seem to be specifically complying with the mandate in making its privacy policy more unified and coherent.

From what I’ve seen it’s unlikely that the new privacy policy runs afoul of the Google Buzz-FTC settlement terms. However the new Google privacy policy may conflict with tough new “personal data” rules being introduced in Europe. Reuters summarizes those rules, which essentially transfer greater power and control to individuals (vs. companies):

Under the new rules, internet companies such as Google, Facebook and Yahoo would have to ask users whether they can store and sell their data to other businesses, such as advertisers, which is source of almost all their income.

Internet users can also ask for their data to be deleted from websites for good, the so-called “right to be forgotten.”

The ability to use individual data for ad targeting and “retargeting” (in the Google Display Network) could be significantly burdened by new disclosure and opt-in requirements. Right now “interest-based targeting” on the Google Display Network is an opt-out. The new European rules would impact Facebook and all other online entities that store and use personal information for ad targeting or other purposes.

In terms of whether Google’s new privacy policy is something to be concerned about from a consumer perspective, see No, You Don’t Need To Fear The Google Privacy Changes: A Reality Check.

Postscript: Google responded to the European Commission’s request to delay implementation of its privacy policy update/changes. Here are some of the bullets from the letter written by Peter Fleischer, Google’s Global Privacy Counsel:

• Our approach to privacy has not changed.
• Google users continue to have choice and control.
• The privacy policy changes don’t affect our users’ existing privacy settings.
• We’re not collecting any new or additional data about users.
• We are not selling our users’ data.
• Our users can use as much or as little of Google as they want.
• We will continue to offer our data liberation tools.

The full letter is available on Google docs.

Related Entries

• Google’s New Privacy Policy May Violate HIPAA, Congresswoman Says
• Google Confronting Spain’s “Right To Be Forgotten”