March is proving to be an exciting month for European technology and privacy lawyers, notably with the Commission Nationale de l’Informatique et des Libertés(CNIL)’s announcement that Google’s new privacy policy is likely to be in breach of European Law.
At a first glance, such a proclamation sounds ominous for all organisations that collect user data in order to provide targeted marketing services to organisations. However, a quick look at the law behind the headline should provide both established businesses and potential start-up enterprises with cause for relief.
The first thing to take away from the CNIL’s open letter to Google is that, in principle, there is no legal objection to the use of a combined policy for multiple services. Indeed, the CNIL even goes so far as to “welcome Google’s effort to streamline and simplify its privacy policies” across its various platforms.
The CNIL’s problem with Google’s new policy is about the level of transparency that it provides to users. Specifically, it is concerned that “the new privacy policy provides only general information about all the services and types of personal data Google processes”, which as a consequence means that it is “extremely difficult to know exactly which data is combined between which services for which purposes, even for trained privacy professionals”.
What does a data-gatherer need to tell a data-subject?
The real objection then, is not that Google can’t do what it wants to do with user data (collect it and share it across multiple platforms), it’s that it can’t do it without telling its users exactly what data is going to be recorded and to whom the records will be disclosed.
The legal basis for the CNIL’s concerns can be found within Articles 10 and 11 of Directive 95/46/EC; which state that where data is collected from or about ‘data subjects’ those subjects have the right to know the ‘categories of data’ that are being recorded, the ‘purpose of the processing’ of that data, as well as the ‘recipients or categories of recipients’ to whom it will be made available.
While the CNIL has not publicly spelled out the steps that it feels Google needs to take in order to achieve compliance, it’s a fair bet to guess that a satisfactory redress probably involves Google specifically disclosing to users the details of which types of data each of its services collects and then circulates to the others. More crucially, it may even need to explain the purposes for which its separate platforms then use that data.
Ultimately, however, Article 10 and 11 reflect little more than the “informed consent” principle that underpins “data protection/privacy” laws and the protection of individual rights. The CNIL’s objections in this instance simply spell out the fact that the ‘Informed’ part of that principle is just as important as the ‘Consent’.