/ 6 July 2013

Google could face legal sanctions over privacy policies

The Google headquarters in Mountain View
The Google headquarters in Mountain View

Privacy watchdogs in the UK, Germany and Italy have told Google to rewrite its privacy policy in Europe or face legal sanctions, 15 months after the search giant unilaterally altered them to unify data collection.

The move follows similar complaints to the US company last month from the equivalent organisations in France and Spain, and ratchets up the attention over its handling of the huge amounts of personal data that it collects from users every day.

Google has already been censured in Europe over its collection of Wi-Fi data, including usernames, passwords and web page viewing while collecting photos for its Street View system. Both European privacy authorities and US legislators have demanded clarification from the company about the data protection implications of its Google Glass head-mounted system, which can take pictures and video without onlookers knowing. It has also been implicated in a data-sharing row over the NSA's Prism program, which has collected information from a number of US companies including Google, Microsoft and Apple.

Now the Information Commissioner's Office in the UK says that the new privacy policy, introduced in March 2012, raises "serious questions" about compliance with the UK Data Protection Act, and has given Google until 20 September to recast it.

Meanwhile, the head of the powerful equivalent in Hamburg, Professor Johannes Caspar, announced that he will call Google into a legal hearing because the new policy "violates the company's commitment to full transparency about the use and handling of the data".

France and Spain wrote similar letters to the company in June, with France's CNIL threatening fines if it did not comply.

Google said in a statement: "Our privacy policy respects European law and allows us to create simpler, more effective services. We have engaged fully with the authorities involved throughout this process, and we'll continue to do so going forward."

But a spokesperson did not explain how its policy could simultaneously respect European law and be the target of censure from five European privacy authorities.

Nick Pickles, director of privacy campaign group Big Brother Watch, said: "This is the latest confirmation that consumers are being kept in the dark about what data on us Google collects and how that data is used.

"Google ignored concerns its policy broke the law and put its profit before the legal rights of British citizens.

"The main issue is that sanctions must be strong enough to make Google take real action, rather than the previous meagre penalties that are seen as a cost of doing business. Regulators around the world must act to ensure concrete steps are taken to uphold peoples rights and stop Google routinely trampling on our privacy."

Google said in January 2012 that it would rewrite its privacy policies to unite them across its disparate sites such as YouTube, Maps, Shopping, Mail and Search so that people's data use would be unified. Despite warnings from the CNIL and others that the change might not be lawful, it implemented the change in March 2012.

On Thursday, the ICO said: "we believe that the updated policy does not provide sufficient information to enable UK users of Google's services to understand how their data will be used across all of the company's products. Google must now amend their privacy policy to make it more informative for individual service users."

If Google fails to comply, the ICO says it will be considered in contempt of court. It could then issue an enforcement notice through the courts. In an extreme case it could issue a £500,000 fine – though a spokesperson said it would need to show individuals had been harmed by the policy.

The ICO defended the 15 months it had taken to determine that Google's policy does not comply with privacy laws: "It's not just about examining what is and isn't in the privacy policy itself. It's also about examining what the products and services actually do with the data." –  © Guardian News and Media 2013