Despite a fresh request from regulators to postpone the March 1 adoption of the new policy, the US search company gave no sign of backing down on Tuesday and reiterated its defence of its new approach to handling user data.
The standoff with regulators, along with a deepening public spat as each side claimed the other had failed to communicate adequately, highlights the importance of the new policy to Google’s business as it has grown beyond its search engine roots.
The new approach makes it easier for the company to take what it has learnt about a user from one of its services and use it to shape other services – something that could bring new levels of online personalisation, but which also lets advertisers target their messages more precisely using Google’s full online reach.
The French data protection agency, the CNIL, warned the US company in a letter released on Tuesday that European regulators were “deeply concerned about the combination of personal data across services”, and that they had “strong doubts about the lawfulness and fairness of such processing.”
It added that its own preliminary conclusion was that the new approach “does not meet the requirements of the European directive on data protection, especially regarding the information provided to data subjects”. The agency had been asked by the Article 29 working party, a body which represents Europe’s privacy commissioners, to take the lead in the review.
Google defended its new policy as “simple, clear and transparent”, and said it was confident the approach “respects all European data protection laws and principles.” It also shot back at a claim from the French agency that it had failed to consult adequately with regulators, saying that it had been unable to secure a meeting with the CNIL despite making several attempts. Delaying the switch to the new policy after an extensive consumer education programme would cause “a great deal of confusion to users,” it added.
The French legal warning has thrown a spotlight on whether Google’s new, simplified policy, which replaces the many detailed ones it has had for each service, will leave consumers in the dark about how their personal data will be used in future. It will be “impossible for average users … to distinguish which purposes, collected data, recipients or access rights are currently relevant to their use of a particular Google service,” the agency said.
Google shot back that it would still provide more detailed explanations of how it will use data through other means, such as its online help centre, notifications that appear inside some products and in the “frequently asked questions” sections for its services.