Walking the Data Protection Tightrope: The Google Privacy Policy Investigations

On 2 April 2013, Data Protection Authorities (DPAs) in six EU Member States (France, Germany, Italy, the Netherlands, Spain and the United Kingdom) announced the launch of an official investigation regarding the compliance of Google’s revamped privacy policy with national data protection rules.

This announcement came over one year after the EU’s advisory body on data protection – the Article 29 Working Party – first contacted Google regarding the changes to its privacy policy which came into force on 1 March 2012. Since this first contact, Google formally responded to two questionnaires sent on behalf of the Article 29 Working Party and based on its responses, the Working Party sent Google a letter attaching its main findings and recommendations in October of last year.

Google’s new privacy policy effectively merges the individual privacy policies which were previously in place for Google services. Therefore, rather than having separate privacy policies for services such as Gmail, Google +, Google Maps and YouTube, users of Google services can now access one comprehensive document outlining Google’s privacy policy for all services. ‘Sounds wonderful’ you may be thinking: however, not so, according to national DPAs in the EU. This amalgamated privacy policy may be problematic from a data protection perspective for two (overlapping) reasons: its alleged lack of transparency and the data pooling it facilitates.

First, from a transparency perspective, the Article 29 Working Party claims that Google’s new privacy policy provides users with incomplete and vague information about the categories of personal data collected and the purposes for which it is processed. The policy therefore sits uneasily alongside one of the safeguards provided for by the EU data protection regime, namely the principle of purpose limitation. According to this principle, set out in Article 6(b) of the EU’s Data Protection Directive, data must be collected for specific purposes and cannot be processed for other incompatible purposes. More importantly however, it may negatively affect the ‘right to information’ of individuals which is set out in Articles 10 and 11 of the Directive. This right is one of the cornerstones of the EU data protection regime as, without adequate information regarding which personal data is being processed by whom and why, individuals cannot exercise the other rights granted to them by EU data protection law, for instance the right to have personal data deleted or amended.

The second, related set of problems stem from the pooling of the data of Google users across Google services. Google aggregates the personal data of users of its services for various reasons: for instance, for security purposes, for analytics, for advertising purposes and in many instances because the individual user asks Google to combine their personal data. Yet, combining personal data in this manner can entail risks for individuals. For example, in the event of a data breach, complete individual profiles would be made available thereby facilitating identity theft. Individuals may also object to these more ‘complete’ profiles for more subtle reasons: for example, they may have a chilling effect on what an individual searches for in a search-engine, chats about using Gmail or watches on YouTube. Google could argue that these risks are remote, or indeed that these fears are irrational; however, this merely serves to highlight the need for more transparent information about the extent and purposes of data collection by Google.

Furthermore, this data aggregation raises other data protection concerns in addition to the abovementioned transparency and purpose limitation problems. In order for data processing to be legitimate, it must have a legal basis (for instance, the consent of the individual concerned must be obtained, or the processing must be necessary for the performance of a contract). The Article 29 Working Party argues that in some circumstances, Google has no such legal basis to justify its data processing (for instance, when it combines data for advertising purposes). Moreover, even when this processing is legitimate, the Article 29 Working Party argues that it breaches other rights granted by the data protection regime, such as the right to object. For instance, it notes that the only way an individual can opt-out of the pooling of their personal data for the purposes of product development is by not using the service. This is undoubtedly a far cry from the ‘privacy by design’ ideal promoted by the European Commission and enshrined in the Proposed Data Protection Regulation.

The Article 29 Working Party therefore sets-out a number of recommendations for Google: to obtain consent for data processing, to simplify its opt-out mechanisms for data processing, to use specific cookies to collect data for specific purposes, to provide information describing the purposes and categories of data processed in a clear and accurate manner. While arguably over-prescriptive in points (the Working Party, for example, recommends that Google adopt a particular three-tiered architecture for its privacy policies), if the Working Party is basing its recommendations on correct facts then the recommendations are themselves relatively predictable and unremarkable.

This investigation is of note for other reasons however. First of all, the manner in which the investigation into the allegations is being conducted is of note. Unlike in other fields, such as  Competition law, there is no pan-European regulator to oversee compliance with EU data protection rules in multi-jurisdictional investigations. The European Data Protection Supervisor (EDPS) is responsible only for ensuring the compliance of EU Institutions with data protection law while the Article 29 Working Party – which is composed of representatives of national DPAs – has no enforcement powers. Therefore, while the Article 29 Working Party originally took the initiative to contact Google, it was the national DPAs led by the French DPA (the CNIL) which conducted the preliminary investigation. The results of this preliminary investigation were then set out in the Article 29 Working Party’s recommendations. However, given Google’s (non)reaction to these recommendations, it is once again the national DPAs who will formally initiate their investigations. There is therefore a to-and-fro between national and supranational bodies to ensure comprehensive and coherent enforcement. While the Proposed Regulation will not fill this lacuna in the enforcement artillery of the EU data protection regime by creating a pan-European regulator, it does set out a number of mechanisms to enhance collaboration between national DPAs, including the designation of a ‘lead authority’ and a formal ‘cooperation mechanism’. In this regard, the Google investigation gives national DPAs the opportunity to road-test these new mechanisms and may reflect the way in which multi-jurisdictional data protection issues will be handled in future.

Also of interest is the fact that this investigation again pushes to the fore the increasing tension between respect for fundamental rights in the online environment and the provision of free internet services. While on the other side of the Atlantic it is often argued that if users don’t like what a free service has to offer, they can take their ‘custom’ elsewhere, this has never been the stance in the EU. This is because data protection is conceived as a fundamental right in the EU legal order (Article 8 of the EU Charter). National DPAs must therefore ensure respect for this fundamental right.

Nevertheless, the right to data protection is not absolute (C-92/09 and C-93/09 Volker und Schecke) and so it must be balanced with other rights and interests. In the Google case, other rights might include Google’s freedom to conduct a business (Article 16 EU Charter) and other interests might include the interests of internet users to receive high-quality, user-friendly free services. The focal point of this investigation will therefore be how the balance is struck between data protection and these competing rights and interests. This is an issue on which self-declared pragmatic regulators (such as the UK’s Information Commissioner’s Office and the Irish Data Protection Commissioner) have traditionally (correctly) departed from their continental European counterparts.  For instance, in its audit of Facebook the Office of the Irish Data Protection Commissioner stated that it does not think it is possible to use ‘data protection requirements as a basis to require Facebook-Ireland to deliver a free service from which members can have the right to opt-out completely from the means of funding it’. However, it also highlighted that ‘there is an absolute necessity that members be fully aware of what information generated in their use of the service will be used for advertising purposes thereby allowing them to exercise choice.’ It would therefore appear that while regulators recognise that companies such as Google must have scope to monetise their services using personal data, in so doing the fundamentals of national data protection rules must be respected.

To be continued…..