UK Information Commissioner obtains undertaking from Google regarding inadequate privacy policy

February 9, 2015 |

In the United States the Federal Trade Commission has been vigorous in taking action against organisations who mislead and deceive in relation to their privacy policies. In Australia the Privacy Commissioner has issued guidelines regarding privacy policy including What to look for in a privacy policy, Guide to developing an APP privacy policy and  Guide to developing an APP privacy policy — summary. He has not as yet taken enforcement action.

The UK Information Commissioner’s Office has recently taken very strong action against Google over its privacy policy with Google entering into an Undertaking under the Data Protection Act.

The media release setting out the facts and the chronology provides:

The ICO has required Google to sign a formal undertaking to improve the information it provides to people about how it collects personal data in the UK after concerns were raised around changes to the company’s privacy policy.

The ICO found that the search engine was too vague when describing how it uses personal data gathered from its web services and products.

Google introduced a new privacy policy in March 2012 combining around 70 existing policies for various services, but the ICO ruled that the new policy did not include sufficient information for service users as to how and why their personal data was being collected.

Google has now signed an undertaking committing to make further changes to the privacy policy to ensure it meets the requirements of the Data Protection Act and to take steps to ensure that future changes to its privacy policy comply, including user testing.

Whilst conducting its own investigation, the ICO has worked with other European Data Protection Authorities, as part of the Article 29 working party.

Steve Eckersley, Head of Enforcement at the ICO, said:

“This undertaking marks a significant step forward following a long investigation and extensive dialogue. Google’s commitment today to make these necessary changes will improve the information UK consumers receive when using their online services and products.

“Whilst our investigation concluded that this case hasn’t resulted in substantial damage and distress to consumers, it is still important for organisations to properly understand the impact of their actions and the requirement to comply with data protection law. Ensuring that personal data is processed fairly and transparently is a key requirement of the Act.

“This investigation has identified some important learning points not only for Google, but also for all organisations operating online, particularly when they seek to combine and use data across services. It is vital that there is clear and effective information available to enable users to understand the implications of their data being combined. The detailed agreement Google has signed setting out its commitments will ensure that.”

The ICO has already worked with Google to ensure a significant number of changes to the policy. The search engine must now make the agreed further changes by 30 June 2015 and take further steps over the next two years.

The ICO plans to update its Privacy Notices Code Practice later 2015 to provide organisations with further guidance about how to provide effective privacy information, particularly in online and mobile environments.

Timeline

24 January 2012
Google announces it will merge a number of its privacy policies to create one policy for all its products and services on 1 March 2012.

2 February 2012
Article 29 Working Party, the group of EU data protection authorities, including the ICO, informs Google it will be analysing the new privacy policy, and request the company delay its launch until the analysis is complete.

1 March 2012
Google launches the new privacy policy, a combination of 70 other policies.

16 October 2012
Article 29 Working Party concludes that the new privacy policy is not compliant with the European Data Protection Directive 95/46/EC with regard to the processing of personal data. Recommendations to make the policy compliant are put to Google with a deadline of 15 February 2013.

26 February 2013
Article 29 Working Party establishes a taskforce with representatives from the French, Spanish, Italian, German, Dutch and UK data protection authorities. Its purpose is for the authorities to consider the privacy policy’s compliance with their respective national laws. Google now has to consider EU recommendations and individual recommendations from each separate country’s data protection authority.

19 March 2013
Google meets with representatives of the taskforce and sets out some measures which it will implement further to the original recommendations of the Article 29 Working Party.

4 July 2013
The ICO writes to Google to say the privacy policy does not meet with the First and Second Data Protection Principles which are set out in Schedule 1 Part I of the UK Data Protection Act (fair processing)

6 December 2013
Google proposes a number of changes to the privacy policy with two phases of implementation, the first on 31 March 2014, and the second on 30 June 2014. The company then makes the changes, as proposed, by the respective deadlines whilst engaging in dialogue with the ICO and incorporating feedback on the proposed changes which the ICO had made.

23 September 2014
Article 29 Working Party writes to Google setting out a number of recommendations which have been agreed by the European data protection authorities, including the ICO,

2 December 2014
Google responds to the Article 29 Working Party recommendations setting out a number of improvements aimed at addressing the Working Party’s concerns.

21 January 2015
Following a period of dialogue and engagement with the ICO Google agrees to sign an undertaking committing to all the changes suggested by 30 June 2015, with ongoing commitments for the next two years.

The undertaking is a good template in terms of expressing what should be in remedial documents such as an undertaking, drafted in a privacy law context.  It provides, absent numbering:

…….
On 24 January 2012 the data controller publicly announced that it would be changing its privacy policies on 1 March 2012 by merging approximately 70 different policies into one policy,hereafter referred to as the‘Privacy Policy’. The new Privacy Policy was to apply to all of the products and services offered by the data controller,with the exception of a limited number of services and products which were to still have additional policies. Whilst under the pre-existing policies the data controller was able to combine personal data across some products and services, the new Privacy Policy was intended to make it clear that data could now be combined across all products and services. By way of example personal data collected through Youtube could now be combined with personal data collected through Google Search.
The new  Privacy Policy was to apply equally to Google account users when they are signed in and out, and to users who do not have a Google account yet access the data controller’s products and services. However the type and quantity of data collected would differ between these groups of users. It would also apply to individuals who are not directly accessing one of the data controller’s products or services but whose data is nonetheless collected when they visit a website which uses a data controller product or service as a third party, such as the data controller’s advertising      products       and     services.  These  latter  individuals  will hereafter be referred to as ‘passive users’.
It was acknowledged that the data controller had taken steps to promote and highlight the changes made to the Privacy Policy, in particular, providing advance notice to users by email, on Google sites, and upon user log-in the month prior to launch. However, the all-encompassing nature of the new Privacy Policy for all products prompted concerns as to whether it would comply with the European Data Protection Directive and relevant national laws. One of the main concerns was whether the Privacy Policy would provide sufficient information so that service users could understand how their personal data was collected and used by the data controller and therefore compliance with the first data protection principle.

On 2 February 2012 the Article 29 Working Party (‘WP29’), of which the Information Commissioner (the ‘Commissioner’) is a member, informed the data controller that it would be analysing the new Privacy Policy, and requested that the data controller delay the launch of the Privacy Policy whilst the analysis took place. This analysis was to determine whether the Privacy Policy was compliant with the European Data Protection Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data. The French data protection authority, the Commission Nationale de l’Informatiqueetdes Libertes (‘CNIL’), was tasked with conducting this investigation on behalf of WP29 with a view to ascertaining further details regarding Google’s processing of personal data, and the transparency of the Privacy Policy.

………

In particular the Commissioner recommended that the data controller should do more to bring users’ attention to processing which would not be within their reasonable expectations. When considering this point it was noted that some users will not have sufficient technical knowledge to fully appreciate the ways in which the data controller can obtain their data from their use of the data controller’s products and services, how the data is combined, and how behavioural advertising on the internet operates. It was suggested that further examples of the processing would assist in this regard.

With respect to the descriptions of the purposes for which personal data is processed in the Privacy Policy the Commissioner considered that the descriptions were too vague, especially in relation to the improvement of services, development of new services and the potential combination of data across services. The Commissioner recommended that further information should be provided to users in order for the processing for these purposes to be made fair.
It was made clear in the 4 July letter that the Commissioner expected changes to be implemented by 20 September 2013, in line with steps being taken by some other data protection authorities.
Shortly thereafter the data controller approached the Commissioner to request a meeting to further understand the recommendations which had been made, and to discuss how the data controller could address these. The Commissioner’s staff met the data controller. During the meeting the data controller explained that it would not be able to implement all changes by the 20 September 2013 deadline. The data controller explained that it did not believe it would be appropriate to make changes to the global Privacy Policy further to the Commissioner’s recommendations, to then change it again to satisfy the requirements of each of the data protection authorities as and when each authority made its recommendations. The data controller therefore suggested a period of dialogue and engagement so that it could understand the various recommendations with a view to putting forward proposals which would address the concerns of all of the data protection authorities at the same time. The Commissioner accepted the reasons for this approach, and considered it to be in the interests of the users of the data controller’s products and services as multiple changes to the Privacy Policy over a short period of time might confuse users further.

Once the data controller had received sufficient information from the various data protection authorities to enable it to put forward a potential solution, a proposal was made on 6 December 2013. The data controller proposed to:

Change the Privacy Policy and provide further notice to users by:

  • Developing an overlay to the Privacy Policy which would include clarifying examples to illustrate what the text of the Policy means in practice.
  • Providing a new section within the Privacy Policy with additional relevant information, including information about the data controller’s use of cookies, by including links to existing information pages to increase the accessibility of the information.
  • Providing additional explanations of technical terms
  • Enhancing the navigation, structure and terminology on the Policies website.
  • Internally document its standards for in-product notices and consent flows on the data controller’s sites.
  • Provide increased notice, information, and help for passive users.
  • contracts with partners in connection with products such as AdSense, DoubleClick, and Google Analytics which would require publishers to disclose the data collection, sharing,and usage that takes place on their sites as a consequence of using Google products.
  • Help publishers meet the duties set out in the EU ePrivacy Directive concerning cookie information.
  • Internally document its cookie review and approval process.
  • Simplify, enhance and unify general user privacy controls.
  • Enhance its internal user data deletion policies.

These changes were to be implemented in two separate phases.The first set of changes, including the substantive changes to the Privacy Policy itself and the supporting web content, were to be implemented on the 31 March 2014, and the second on 30 June 2014.
Following these proposals the Commissioner considered whether they would address his concerns. The Commissioner considered that they would as long as sufficient information was provided, and this information was easily accessible. The Commissioner therefore continued to engage with the data controller and his staff met with the data controller’s representatives shortly before the 31 March 2014 changes to provide feedback on the draft proposals.

The data controller then implemented the changes, as proposed, by the respective deadlines. The Commissioner has considered the changes which have been made and whether formal regulatory action would be appropriate in respect of the primary concerns which he had at the outset of the matter. An Enforcement Notice has been considered but in light of the changes which have been made, and the data controller’s commitment to ongoing dialogue with the WP29 and the Commissioner with a view to further improvements to the Privacy Policy, the Commissioner does not believe such action to be appropriate or necessary in the circumstances.
However the Commissioner believes further improvements can still be made and so it is agreed that in consideration of the Commissioner not exercising his powers to serve an Enforcement Notice under section 40 of the Act, the data controller undertakes as follows:

The data controller shall, as from the date of this Undertaking and for a period of two years thereafter, implement (having regard to the fact that some measures have already been implemented) appropriate measures to:

(1) Carry out the steps set out in Annex 1 with regards to the accessibility and content of the Privacy Policy and associated web content by 30 June 2015,

(2)       Ensure that there is continued evaluation of the privacy impact of future changes to processing which might not be within the reasonable expectations of service users so that users are provided with prompt and adequate notice of such processing,

(3) Keep the content of the Privacy Policy and associated web content under review and take appropriate actions so that service users are informed as to the ways in which their personal data may be processed,

(4)       Keep the overlay examples for the Privacy Policy under review to ensure that informative and relevant examples are always in use,

(5) Continue to ensure that any significant future changes to the Privacy Policy are reviewed by user experience specialists and with representative user groups before the policy and associated tools are launched as appropriate,

(6)Continue to pro-actively cooperate with the Commissioner and provide appropriate advance notice of any significant changes, and respond promptly to enquiries relating to the ways in which Google processes user data and its proposals for consequential changes to the Privacy Policy and supporting web content,

(7) Provide a report to the Commissioner by August 2015 setting out the steps which the data controller has taken in response to the commitments set out in this undertaking.

In addition to these undertakings the data controller also commits to on-going dialogue and engagement with the Commissioner’s Office.

ANNEX1

  • Google will enhance the accessibility of its Privacy Policy to ensure that users can easily find information about its privacy practices.
  • Google will enhance the disclosures in its Privacy Policy to describe its data processing activities more clearly, including the types and purposes for which it processes user information, and to provide users with information to exercise their rights.
  • Google will provide clear, unambiguous and comprehensive information regarding data processing, including an exhaustive list of the types of data processed by Google and the purposes for which data is processed.
  • Google will provide information to enable individuals to exercise their rights.
  • Google will provide user resource covering data processed by Google and the purposes of processing.
  • Google will include two provisions of the Google Terms of Service,regarding the processing of email data and the shared endorsement feature, in the text of the Google Privacy Policy.
  • Google will add more information to its Privacy Policy about the entities that may collect anonymous identifiers on Google properties and the purposes to which they put that data.
  • Google will implement several measures to ensure that passive users are better informed about the processing of their data and that publishers using Google products obtain the necessary consents.
  • Google will revise its Privacy Policy to avoid indistinct language where possible.
  • Google will enhance its guidance for employees regarding notice and consent requirements.
  • Google will ensure, so far as practicable, that the requirements of the first principle are applied equally to all Google products, regardless of which terminal device the Google user is accessing them on, including mobile, tablet, desktop, and new hardware offerings.
  • Google has implemented a multi-layered approach to its Privacy Policy and will make additional changes to further enhance the layers.
  • Google will launch a redesigned version of Account Settings, which will allow users to find a variety of controls and information more easily, and will more prominently feature the Dashboard at the top level.

 

One Response to “UK Information Commissioner obtains undertaking from Google regarding inadequate privacy policy”

  1. UK Information Commissioner obtains undertaking from Google regarding inadequate privacy policy | Australian Law Blogs

    […] UK Information Commissioner obtains undertaking from Google regarding inadequate privacy policy […]

Leave a Reply