Google has come under heavy investigation by European privacy agencies ever since their privacy policy changes that integrated around 70 services into one privacy notice (around March 2012). One doesn’t have to know a lot about privacy protection and legislation to understand that this is a nightmare in terms of compliance for any organization.
At least the Dutch dpa, the French, the ICO [document removed by target page] and the Spanish have had their gripes with Google.
Now, the ICO has announced that Google “promised” to committing to make further changes to the privacy policy to ensure it meets the requirements of the British “Data Protection Act and to take steps to ensure that future changes to its privacy policy comply, including user testing”.
These promises are based on a number of recommendations which had been agreed by the European data protection authorities and brought forward by the Article 29 Working Party.
Google must now make the agreed further changes by 30 June 2015 and take further steps over the next two years to make sure to reach a stage at which it can be considered compliant with European privacy rules.
A look at the pledge [document removed by target page] is interesting because it also shows what other organizations should honor and think about:
- Google will enhance the accessibility of its Privacy Policy to ensure that users can easily find information about its privacy practices.
- Google will enhance the disclosures in its Privacy Policy to describe its data processing activities more clearly, including the types and purposes for which it processes user information, and to provide users with information to exercise their rights.
- Google will provide clear, unambiguous and comprehensive information regarding data processing, including an exhaustive list of the types of data processed by Google and the purposes for which data is processed.
- Google will provide information to enable individuals to exercise their rights.
- Google will provide user resource covering data processed by Google and the purposes of processing.
- Google will include two provisions of the Google Terms of Service, regarding the processing of email data and the shared endorsement feature, in the text of the Google Privacy Policy.
- Google will add more information to its Privacy Policy about the entities that may collect anonymous identifiers on Google properties and the purposes to which they put that data.
- Google will implement several measures to ensure that passive users are better informed about the processing of their data and that publishers using Google products obtain the necessary consents.
- Google will revise its Privacy Policy to avoid indistinct language where possible.
- Google will enhance its guidance for employees regarding notice and consent requirements.
- Google will ensure, so far as practicable, that the requirements of the first principle are applied equally to all Google products, regardless of which terminal device the Google user is accessing them on, including mobile, tablet, desktop, and new hardware offerings.
- Google has implemented a multi-layered approach to its Privacy Policy and will make additional changes to further enhance the layers.
- Google will launch a redesigned version of Account Settings, which will allow users to find a variety of controls and information more easily, and will more prominently feature the Dashboard at the top level.
What happened since 2012?
The ICO posted an interesting summary of evolution of Google vs European privacy, which I will paste here in its entirety:
24 January 2012
Google announces it will merge a number of its privacy policies to create one policy for all its products and services on 1 March 2012.
2 February 2012
Article 29 Working Party, the group of EU data protection authorities, including the ICO, informs Google it will be analysing the new privacy policy, and request the company delay its launch until the analysis is complete.
1 March 2012
Google launches the new privacy policy, a combination of 70 other policies.
16 October 2012
Article 29 Working Party concludes that the new privacy policy is not compliant with the European Data Protection Directive 95/46/EC with regard to the processing of personal data. Recommendations to make the policy compliant are put to Google with a deadline of 15 February 2013.
26 February 2013
Article 29 Working Party establishes a taskforce with representatives from the French, Spanish, Italian, German, Dutch and UK data protection authorities. Its purpose is for the authorities to consider the privacy policy’s compliance with their respective national laws. Google now has to consider EU recommendations and individual recommendations from each separate country’s data protection authority.
19 March 2013
Google meets with representatives of the taskforce and sets out some measures which it will implement further to the original recommendations of the Article 29 Working Party.
4 July 2013
The ICO writes to Google to say the privacy policy does not meet with the First and Second Data Protection Principles which are set out in Schedule 1 Part I of the UK Data Protection Act (fair processing)
6 December 2013
Google proposes a number of changes to the privacy policy with two phases of implementation, the first on 31 March 2014, and the second on 30 June 2014. The company then makes the changes, as proposed, by the respective deadlines whilst engaging in dialogue with the ICO and incorporating feedback on the proposed changes which the ICO had made.
23 September 2014
Article 29 Working Party writes to Google setting out a number of recommendations which have been agreed by the European data protection authorities, including the ICO,
2 December 2014
Google responds to the Article 29 Working Party recommendations setting out a number of improvements aimed at addressing the Working Party’s concerns.
21 January 2015
Following a period of dialogue and engagement with the ICO Google agrees to sign an undertaking committing to all the changes suggested by 30 June 2015, with ongoing commitments for the next two years.
23 March 2018
Google has recently introduced some significant changes in relation to the EU’s General Data Protection Regulation (GDPR). You can read all about the changes and how they will affect you here.
Let’s see where this never ending story takes us.