EU regulators have urged Google to implement changes to the way it handles user data. CNiL, an independent French watchdog concerned with data protection, today revealed the results of a probe into Google's much-maligned unified privacy policy at the same time as publishing an open letter to Google CEO Larry Page. The watchdog, which undertook the investigation on the behalf of the European Union, explained that its issues stem from Google providing its users with "incomplete or approximate information" on data collection and combination. It identified eight purposes that Google combines user data for:

  • The provision of services where the user requests the combination of data e.g. Contacts & Gmail (case 1)
  • The provision of services requested by the user but where the combination of data applies without the user’s direct knowledge e.g. search results personalization (case 2)
  • Security purposes (case 3)
  • Product development and marketing innovation purposes (case 4)
  • The provision of the Google Account (case 5)
  • Advertising purposes (case 6)
  • Analytics purposes (case 7)
  • Academic research purposes (case 8)

While the report recognizes the legality of data combination in some fields, it claims that Google is in violation of EU data protection regulation in cases 2, 4, 6, and 8 as there is "no valid consent" from users. This data combination violates the "fundamental rights and freedoms of the data subject," and if Google wants to continue collecting data in this manner it "should seek consent from the data subjects" for these specific purposes and provide additional controls for its users to manage what data Google collects.

Google's data combination violates users' fundamental rights and freedoms

Another area that the investigation highlighted is data retention. According to the report, Google refused to provide either a maximum or typical figure for how long it keeps user data. This led regulators to question the effectiveness of opt-out mechanisms and user deletion requests, and the watchdog has requested that Google set maximum retention periods for the data it collects.

Regulators want a partial return to Google's old privacy policy

The EU is fine with Google's unified privacy policy acting as a "general guideline" about its operations, but it wants the search giant to return to its old system, which provided specific privacy notices for each Google product. It says these product-specific privacy policies must include "simple and clear explanations" on when, why, and how location, credit card, unique device identifiers (UDIDs), and telephony data is collected, along with information on how users can opt out. It asks that Google adds a specific clause for biometric data where necessary as there is currently no mention of facial recognition in its privacy policy.

The report also notes that Google does very little to reach out to mobile users and explain what data is being collected from them, and asks that all information Google provides be adapted for mobile. In the future, it wants Google to engage with data protection authorities when it develops services that may have privacy implications.

The watchdog closes its letter to Larry Page saying its "recommendations do not seek to limit the company’s ability to innovate and improve its products, but rather to strengthen users’ trust and control, and to ensure compliance with data protection legislations and principles." It asks the CEO to respond to its letter explaining how and when it will implement the watchdog's recommendations. Google has yet to (publicly) respond to the EU's request.