Google in Crosshairs of UK and Other Privacy Watchdogs

Google Inc (Google) has been forced sign a formal undertaking to change its privacy policy in the UK following a three-year investigation by the country’s privacy watchdog – but the company has avoided a fine.

The Information Commissioner’s Office (ICO) found that Google was too vague when describing how it collects and uses the personal data of users of its web services and products. The ICO investigation was initiated after Google introduced a new privacy policy in March, 2012 that combined approximately 70 existing policies for Google’s various services. The ICO found that the new Google privacy policy did not include sufficient information about how and why a user’s personal data was collected.

The 2012 amendment to the Google privacy policy was intended to clarify that user data could be collected across all of Google’s services and combined. For example, the privacy policy indicated that a user’s personal data collected through Youtube could be combined with a user’s personal data collected through Google Search.

Further, the privacy policy applied to individuals that were not directly accessing one of Google’s products or services but whose data is nonetheless collected when they visit a third party website that uses a Google product or service, such as Google’s advertising products and services (so-called “passive users”). These passive users are often unaware of how their data is being collected and used.

As a result of the ICO investigation, Google has agreed to a number of changes, including:

• enhancing accessibility to its privacy policy to ensure that users can easily find information about Google’s privacy practices;
• implementing measures to ensure that passive users are better informed about the processing of their data, and that third party publishers using Google products obtain the necessary consents;
• revising the privacy policy to avoid indistinct language; and
• providing information that enables individuals to exercise their rights.

Google has faced similar criticisms elsewhere in the world. In December, 2013, the Spanish data protection agency levied a maximum fine of €900,000(CAD 1.25 million) against Google for breaking local data protection laws. A year later, the Dutch data protection watchdog threatened to fine Google €15 million (CAD 21 million) if Google didn’t update its privacy policy by February, 2015.

Google also faces possible regulatory enforcement in Mexico after the Federal Institute for Information Access and Data Protection (IFAI) initiated proceedings that seek sanctions on Google’s Mexican subsidiary for alleged breaches of Mexican data protection law.