European Union panel to pressure Google on privacy rules
By KEVIN J. O’BRIEN
THE New York Times | December 09,2012
In a two-day closed-door meeting this week in Brussels of the European Union’s 27 national data protection officials, the group mapped a preliminary strategy, including the possibility of testing Google’s compliance with national privacy laws in countries like Ireland, Belgium and Finland, where the company operates data centers. That was the word from a person close to the discussions, who spoke on condition of anonymity.
The group may issue a public statement next week on the matter.
The group is focusing on new guidelines that Google adopted this year for collecting information on individuals. Under the new policy, when people are logged into a Google account, the company can use information shared on one service in other Google services. For example, Google could show people an ad on YouTube based on what they have searched for, or fix the spelling of a friend’s name in a Google search based on information from Gmail.
When the guidelines were announced, they were sharply criticized in Europe. Data protection officials from various countries asked the French regulator, CNIL, to study them. In mid-October, that regulator released a report criticizing the guidelines as allowing an “uncontrolled combination of data.”
The 27 European regulators wrote a letter to Larry Page, the chief executive of Google, asking the company to modify the new policy, which governs dozens of Google services — among them the search engine, Android mobile phone apps and YouTube videos. The regulators want Google to give users a better sense of what personal data is being collected and to allow them to better control how that information is shared with advertisers.
CNIL said the method of combining information from Google’s search engine, YouTube, Google+ social network and other services “suggests the absence of any limit concerning the scope of collection and the potential uses of the personal data.”
Google made nearly all of its $37.9 billion in sales revenue in 2011 from Internet advertising, which relies in part on the collection and analysis of user data to produce ads aimed at individual consumers.
When CNIL released its report, Google said it would study the analysis. But the company also asserted that its method of handling consumer data was legal under European Union rules. At a conference in Arizona in October, Page defended the guidelines.
So far the company, which also ran afoul of European regulators in 2010 for its collection of personal data from home Wi-Fi routers in the Street View controversy, has not responded formally to the report by the French regulator.
On Friday, a Google spokesman in Brussels, Alistair Verney, referred to the company’s previous statement in October, which said that Google was reviewing the French recommendations.
When CNIL presented its analysis in October, the chairwoman of the French regulator, Isabelle Falque-Pierrotin, gave the search engine “three to four months” — roughly until mid-February — to respond to its recommendations.
Among other things, CNIL asked Google to heed European restrictions on mixing certain data and to heed Europe’s rules for obtaining prior consent from consumers before collecting personal data.
But CNIL argued in its review that the opt-in disclaimer, which is legal under United States law, was too broad. It also said consumers should be given clearer information and be allowed to individually authorize or reject the collection of certain kinds of data.
While European lawmakers coordinate European Union data protection from Brussels, privacy law is enforced on the national level.
That decentralization is the reason why regulators are considering taking action within a few nations — most likely in countries where Google has physical operations and where national courts could be asked to enforce penalties.
But whether any actions, if they do eventually take place, result in anything other minor sanctions remains to be seen. In general, European national regulators are limited to privacy violation fines of only a few hundred thousand euros against companies or individuals.
A proposed update to European Union data protection law would give regulators the ability to assess much larger fines of as much as 2 percent of a company’s annual sales — which based on Google’s financial performance would equate to about $760 million, based on 2011 revenue of $37.9 billion.
But it is unclear how soon, if ever, those higher penalties will be adopted.
Another person with knowledge of the regulators’ discussion this week emphasized that the group was still hoping Google would adapt its rules in Europe to conform with the Continent’s restrictions on data mining.
“We still have a lot of time left before we come to this juncture,” said another person with knowledge of the group’s discussions, citing the spring deadline for Google’s formal response. “Let’s wait and see what happens.”