Google's 2012 privacy policy changes: the backlash and response

In part because it's still in the appeal process, Google attempted to fight the order, which specified a large-text notice right below the front page's search buttons. "Google has always maintained that page in a virgin state," said attorney Patrice Spinosi. France's top administrative court, however, upheld the decision on Friday. Other companies have been required to post similar notices in Europe; Apple, for example, was required to tell visitors that it lost a UK lawsuit against Samsung but landed in hot water for excessive editorializing. CNIL looked for ways to multiply the fairly low maximum privacy violation fine, and this is a way to make sure deep-pocketed Google feels its effects.

France has been particularly pro-active on taking Google to task for privacy violations, but the company is also facing action in the UK, Germany, Italy, and the Netherlands. Its controversial 2012 privacy policy let data be shared between different services like Search and YouTube, something that critics said effectively created invasive, unified user profiles that could not be opted out of. Along with privacy concerns, Google has clashed with European regulators over antitrust laws, recently reaching an agreement that will see it list search results from its competitors alongside recommendations from its own services and theoretically avoid a fine of up to $5 billion.

The privacy policy that Google implemented in March of 2012 violates Dutch privacy laws, the country's data protection agency has found. In a report issued today, the DPA said that Google has "no legal ground" to use things like tracking cookies to collect and unify information about website visitors. "The combining of data by Google from and about multiple services and third-party websites for the purpose of displaying personalized ads, personalization of services, product development and analytics constitutes a major intrusion into the privacy of the users involved," reads an informal English translation. "Some of these data are of a sensitive nature, such as payment information, location data and information on surfing behavior across multiple websites."

European regulators have long been displeased with Google's revised privacy policy that went into effect in 2012, and now a French watchdog is moving forward with sanctions today after the internet company failed to address privacy concerns. The Paris-based Commission nationale de l'informatique et des libertés (CNIL) said today in a statement that Google "has not complied with the requests laid down in the enforcement notice," and the chair of the commission will "designate a rapporteur for the purpose of initiating a formal procedure for imposing sanctions" — setting off what may be a months-long process. Google faces a maximum fine of €150,000 (about $198,300) for its first offense, but a source tells The Wall Street Journal that the agency is investigating whether it has the power to treat every French Google user as a separate infraction, multiplying that maximum fine by many times.

The CNIL completed its original investigation of Google's privacy practices in October 2012, requesting that the company heed the agency's recommendations to alter its policies. The privacy policy in question combined several dozen separate policies under one umbrella, allowing Google to take advantage of user data from its multiple different services at once. The CNIL, which led the investigation for the European Union, said that the combination of the policies violated the "fundamental rights and freedoms of the data subject," adding that Google should be more transparent about its policies and request permission from its users, among other recommendations.

Before Google rolled out its controversial new privacy policy last March — the one that sparked government concerns around the world and could trigger fines in Europe — Google actually considered providing users with a simple privacy slider to let them choose the maximum amount of information to share across every one of its services, according to The Wall Street Journal. Google CEO Larry Page himself reportedly asked for the privacy slider. So why wasn't it adopted? Apparently, Google was worried that people wouldn't share information on its new Google+ social network if they had an easy way to opt out of data collection.

Last month France acted on a year-long investigation into Google's new privacy policy in the EU, demanding the company change its policy or face stiff fines. Now, the UK and Germany are piling on. The UK's Information Commissioner's Office says that Google's policy, last updated in March 2012, "does not provide sufficient information to enable UK users of Google’s services to understand how their data will be used across all of the company’s products." The ICO is giving Google until September 20th to update the policy or face "the possibility of formal enforcement action."

Germany, meanwhile, has already scheduled a hearing for August, where Google will need to defend its privacy policy, reports Computerworld. Google's privacy policy has been the subject of intense scrutiny in the EU, who argue that despite Google's attempts to make it simpler, it still is too vague and confusing.

France's data protection agency has ordered Google to change its privacy policy, following a year-long investigation into the company's practices. In a press release published Thursday, the Paris-based Commission nationale de l'informatique et des libertés (CNIL) said Google's data collection policies are in violation of the French Data Protection Act, and gave the company three months to make adjustments. Should Google fail to make changes within three months, it would face an initial fine of up to €150,000 (about $198,300), and a second fine of up to €300,000 ($396,500) if the search company continues to neglect the CNIL's orders.

The CNIL also said that data watchdogs in Germany, Italy, the Netherlands, Spain, and the UK are considering similar actions against Google, which could result in more sanctions and fines.

After a lengthy investigation, the French independent administrative authority CNIL has advised EU countries to take action against Google over its privacy policy. In a press release today, CNIL said that Google has failed to respond to its requests to modify the policy, and the watchdog passing the matter over to member states to deal with accordingly. The UK, France, Italy, Germany, Spain, and the Netherlands were all involved in the investigation, and It's now up to regulators in each country to look into the matter and decide what action to take.

A spokesperson for the UK Information Commissioner's Office (ICO) told us that it is launching a new investigation following on from CNIL's. The purpose of the investigation is to establish if Google's privacy policy violates the UK's Data Protection Act. The ICO also confirmed that several data protection authorities across Europe are launching similar probes.

Google has confirmed to The Verge that lead privacy director Alma Whitten will be leaving the company after 10 years. Software engineering director Lawrence You, who's been with the company eight years and is a founding member of Google's privacy team, will be taking over the job. A Google spokesperson said in part "Alma has done so much to improve our products and protect our users." But Whitten leaves behind a mixed record as Google's privacy director, especially in recent years, when the company ran into trouble with governments around the world for practices deemed disconcerting at best and violations at worst.

Whitten joined Google in 2003 but became privacy director in 2010, just after Google admitted to secretly capturing Wi-Fi data from homeowners' unprotected networks using its StreetView cars. The company paid a $25,000 fine to the US Federal Communications Commission and another $7 million fine to states to settle that issue while she was in charge. Whitten also oversaw Google's move to merge its more than 60 privacy policies into one master privacy policy, which drew questioning from US Congress and is still under scrutiny by European regulators.

The European Union first expressed concern about Google's new privacy policy last February, and now, more than a year later, Reuters reports that EU regulators are preparing to take action against the company this summer. Last October, after a probe into Google's new privacy policy, regulators urged the company to revise its policy in order to comply with data protection laws. Regulators were not pleased with Google's response.

EU regulators gave Google four months to change its policies last October, and the French privacy regulator leading the EU's investigation said that the company "did not provide any precise and effective answers." Reuters reports that the EU's action this year will begin with the creation of a working group to coordinate EU data protection authorities. No action beyond "a further inquiry" has been announced.

EU regulators have urged Google to implement changes to the way it handles user data. CNiL, an independent French watchdog concerned with data protection, today revealed the results of a probe into Google's much-maligned unified privacy policy at the same time as publishing an open letter to Google CEO Larry Page. The watchdog, which undertook the investigation on the behalf of the European Union, explained that its issues stem from Google providing its users with "incomplete or approximate information" on data collection and combination. It identified eight purposes that Google combines user data for:

While the report recognizes the legality of data combination in some fields, it claims that Google is in violation of EU data protection regulation in cases 2, 4, 6, and 8 as there is "no valid consent" from users. This data combination violates the "fundamental rights and freedoms of the data subject," and if Google wants to continue collecting data in this manner it "should seek consent from the data subjects" for these specific purposes and provide additional controls for its users to manage what data Google collects.

The Google Drive cloud storage service launched yesterday to much fanfare, but as with any new Google product, there are important questions about how the company will actually use personal data uploaded to the system. Google sells ads against your data, after all, and the more data you give the company, the more opportunity it has to screw up. That means the Google Drive terms of service and privacy policy are critically important, and there's been a lot of selective interpretation floating around the web in the past 24 hours — and a lot of comparisons to the privacy policies of competitive services like Dropbox and Microsoft's SkyDrive.

That's great — all web services should be subject to harsh scrutiny of their privacy policies — but a close and careful reading reveals that Google's terms are pretty much the same as anyone else's, and slightly better in some cases. Let's take a look.

The European Union's concerns over Google's new privacy policy have led to a France-led investigation into the changes, and now Google has responded to the first volley of questioning into the matter. In a letter to France's National Commission for Computing and Civil Liberties (CNIL), the company addresses 24 of the 69 questions it was asked in a March 16th letter from the body, stating that the company has "worked hard" to provide a policy that is easily understood by users, and that if the body looks beyond the Privacy Policy alone, Google's products in total follow "the requirements of European data protection laws." Google points to several examples, such as the sharing-disabled default settings of Google+, and the informative statements provided when using the "Find My Face" facial-recognition feature for the first time.

Of vital interest is how Google plans to share information it collects on users, something that has garnered attention from US lawmakers as well. The CNIL asked 21 separate questions on the topic in its questionnaire, none of which were addressed in Google's current letter. We shouldn't have to wait too long to hear Mountain View's thoughts, however: according to Reuters, Google will be answering the rest of the questions by April 15th.

The European Union launched a France-led investigation into Google's new privacy policy in February, and now that the policy has rolled out EU justice commissioner Viviane Reding says it breaches the union's law. Reding told the BBC that "the new rules are not in accordance with the European law, and that the transparency rules have not been applied," adding that another issue is that "nobody had been consulted" about the changes. Google responded indirectly on its official blog, stating that the policy — which consolidates 60 different privacy policies for various Google products into one — actually makes things clearer and simpler.

Google also explained that the company has "undertaken the most extensive user education campaign in our history" to inform users of the privacy changes, though Reding believes that those efforts have not been enough. She said that 80 percent of citizens in the UK, for example, are concerned about the new conditions, while privacy group Big Brother Watch stated that only 47 percent of those citizens are aware of the agreement and just 12 percent have actually read it. Despite requests to delay the changes, Google's new policy has been put in place today. While the EU hasn't announced its plans for dealing with the policy, France's National Commission for Computing and Civil Liberties will be sending Google a questionnaire early this month to provide further clarification on the changes.

Google's new privacy policy is going into effect today, despite widespread criticism that saw the company release an ad campaign in order to win public support for the changes. Among those critical of the new policy have been EU investigators, who claim they weren't adequately briefed of Google's changes; the chairman of the FTC, who called the new policy "a fairly binary and somewhat brutal choice;" and even 36 US attorneys general, who jointly sent a letter to the company expressing their concerns. Another not-unexpected critic has been Microsoft, although Google has been quick to counter — when Microsoft announced plans to run a series of newspaper advertisements critical of Google's new policy last month, the company responded the same day with a blog post dissecting many of the individual claims.

While the company insists it isn't selling your personal data to others or "collecting any new data," most of the criticism over the new policy boils down to concerns over how Google is handling the personal information it is collecting. Those concerns range from whether consumers are adequately informed about the specific personal information and access rights they're surrendering when they use Google's services, to the implications of Google's richer data profiles — particularly as they relate to hacking and identity theft.

Google's global privacy counsel Peter Fleischer responded in a letter to the CNIL later in the day. Fleischer stated that Google had tried to meet with the French authority, but was unsuccessful. However, he noted that the new privacy policy "respects all European data protection laws and principles."

He couldn't talk about the details of last year's Google Buzz settlement, but that didn't stop FTC chairman Jon Leibowitz from calling Google's new privacy policy "a fairly binary and somewhat brutal choice that they're giving consumers" on an episode of C-SPAN's Newsmakers on Sunday. The new policy, which goes into effect March 1st, has faced opposition from the EC's Article 29 Working Party — a government group tasked with advising the Commission on data protection, and even a group of 36 US attorneys general. The backlash has even prompted the company to launch an ad campaign explaining what it means to Google's users — in other words, people who use the internet. Leibowitz agrees that Google's been upfront about the changes it's going to make — the question is whether or not being upfront is enough.

Google's new privacy policy is set to go into effect a week from now, but the change is still being contested by regulatory bodies worldwide. In a letter sent yesterday to Google CEO Larry Page, 36 US attorneys general raised a number of issues with the policy, including their concern over the ability to opt out, the potential problems with sharing user data between services, and the dependence of Android smartphone owners on Google for service. They also brought up the effect that the policy could have on Google Apps for Government users, who will "need to spend taxpayer dollars determining how this change affects the security of their information."

Although the letter noted several documents Google has sent to members of Congress and individual attorneys general, it says that these "have raised as many questions as they have answered." Fundamentally, however, we can't see any response really satisfying the letter's biggest request: that the unified privacy policy be made opt-in for all users. Google has been asked to respond by February 29, the day before its new policy is currently scheduled to kick in.

Add the European Union to the list of those taking issue with Google's new privacy policy: Reuters is reporting that the EU wants Google to delay the implementation of its new privacy policy so it can investigate whether users' data is sufficiently protected under the new rules. This request was made by the Article 29 Working Party, an independent group of data protection from the EU's 27 countries, plus the EU's executive European Commission (whose VP recently spoke out against SOPA), with France's data protection authority leading the proposed investigation. The EU's request is particularly timely, coming one week after the European Commission outlined its plans to revamp its 17-year-old data protection rules to more strongly protect private user information.

In its statement, the group said that it wishes to "check the possible consequences for the protection of the personal data of these citizens in a coordinated way" and that the group is calling for "a pause in the interests of ensuring that there can be no misunderstanding about Google's commitments to information rights of their users and EU citizens." Al Verny, Google's spokesperson in Brussels, noted that Google was a bit surprised by the request, since it briefed most members of the working party prior to the public announcement of its changes. However, the company is still "happy to speak with any data protection authority that has questions" — note that he didn't say Google was happy to delay its new policy, which is still scheduled to go into effect on March 1st.

Microsoft's decision to bring the video back to life clearly follows its exploitation of the concern around Google's privacy policy amendments. The software giant is running full page adverts in several major US newspapers this week, highlighting Google's privacy policy, and the Gmail Man coincides perfectly with the online war between the two companies. Google responded to Microsoft's newspapers ads earlier this week, but will they respond this time with a Hotmail Man?

Google's had a rough week since it first announced revisions to its privacy policies — the government's keeping watch and Microsoft just released ads explicitly mentioning Google as a way to play off consumer fears about the privacy of their data. Google's not taking it lying down, though — following up on ads it started running today, Google has posted a long rebuttal of many claims that have surfaced, with a special focus on Microsoft's commentary. Google refutes a number of claims, including that it makes money selling personal information and that it changed its privacy policy to make it harder for users to control their information and make collected data more valuable to advertisers The main message coming from Google is that privacy controls are not changing at all, just that it's streamlining the policy (much like it did in 2010).

Google also takes a moment to call out Microsoft for its fear-mongering ads at the end of the blog post, noting that it doesn't make judgements about other companies policies or controls, unlike Google's friends in Redmond. However, Google doesn't shy away from throwing some mud back back by noting that Microsoft doesn't offer any data liberation or dashboard services for users to see all the personal information they've committed to Microsoft's services. While Google's trying to hard to lay fears to rest, it wouldn't surprise us if there's more controversy between now and March 1st.

If you've read a major US paper or taken the New York subway lately, you've probably seen Google's "Good to Know" ads, which offer friendly explanations of cookies and other concepts relating to the company's upcoming privacy policy change. But after being knocked by Microsoft in an ad campaign for not "putting people first," Google is taking a more direct tack: placing web ads that claim "We're changing our Privacy Policy. Not your privacy controls" on sites like the Washington Post.

Microsoft isn't pulling any punches with the adverts:

(Click to enlarge)

Despite Google's best efforts to introduce a simpler universal privacy policy across its numerous products, it seems that its customers aren't finding the new document entirely transparent, with some left confused and concerned by the changes being made. In a post on the Google Public Policy Blog, Google's director of Public Policy Pablo Chavez explains that although the privacy policy might be changing, users' privacy controls — and the permissions they give their content — will remain unchanged.

Chavez is quick to assuage a number of potential fears in the post. He assures users that their private information will remain private, that many tasks will still be available without a Google account, that the centralized privacy tools like Google Dashboard and Ads will remain in place, that Google will not sell data to third parties, and that if users are unhappy then the Takeout service is still available to those who would rather leave.

The government seems to be on high-alert regarding Google's privacy practices. The company only just announced its new simplified privacy policy on sharing your data across all its services, and lawmakers have responded with a long list of questions. In a letter to Larry Page, eight members of Congress asked if users will be able to opt-out of the new data sharing policy, and how they can easily exercise such an option if it exists at all. The letter also asks if teenagers and children will receive special privacy protection, followed by numerous inquiries about collection, sharing, archiving, and ensuring the security of gathered information.

Google has until February 16, 2012 to deliver a satisfactory response to Congress, but it's already addressing concerns about some changes through its Public Policy Blog. The post clarifies that Google has already been using data to improve the user experience for a long time, and the new policy simply makes that clear. "We're not collecting more data about you," the company said, adding that you still have the option to turn off chat and search history, "go incognito," or tailor ads to your interest.