Europeans: Google Privacy Policy Not Illegal But Please Make Some Changes

After all the saber rattling, commentary and anticipation yesterday there was an expectation that Google would be asked by European data protection authorities, led by the French privacy regulator CNIL, to “unravel” or roll back its unified privacy policy. There was also a strong suggestion that there might be fines imposed. Instead we essentially got a relatively polite request to make some modest changes to the privacy policy, mostly around disclosures to end users.

The coverage today of the CNIL letter to Larry Page (embedded below) is all over the map, with some outlets focused on hypothetical future drama and action that might be taken if Google makes no changes. For example the BBC quotes CNIL’s president Isabelle Falque-Pierrotin, saying that Google has “‘three or four months’ to make the revisions, otherwise ‘authorities in several countries can take action against Google.'”

Fundamentally, however, European data protection authorities did not claim that Google’s privacy policy violated any European law or rule. This is a major victory for Google and consistent with the prior statements by Google’s privacy counsel Peter Fleischer who has repeatedly asserted that Google’s privacy policy is in compliance with European laws.

The European authorities also express some confusion or mystification over what Google is doing with the data and want the company to be more clear with them and the public generally. In relatively plain English the following are central recommendations coming from CNIL and the other EU data protection authorities:

• Commit publicly to privacy principles advocated by the EU data protection authorities
• Tell users what data are being collected and how they’re being used
• Give users the ability to consent or opt-out of Google’s uses of combined personal/behavioral data (in other words give users more control)
• Identify the data retention periods of the combined data and comply with European data retention standards

Google has said it’s doing nothing different than other US based companies; however the Europeans haven’t looked closely at others save Facebook in other privacy contexts. Microsoft’s similar privacy policy may eventually come under scrutiny but hasn’t yet.

Google has said it’s studying the document and will continue to work cooperatively with European authorities. It’s quite possible, however, that Google won’t change anything significant and simply keep talking to the various European data protection authorities. There’s really no stick here compelling them to do much of anything given that there’s no finding of illegality.

The implication of some of the public statements made by CNIL president Isabelle Falque-Pierrotin in particular, however, is that Google has a limited window to “comply” with Europe’s request and if it fails to do so there might be subsequent action. For now CNIL has only asked for Google to give it some indication of how the company might address the concerns and recommendations expressed in the letter.