This article is from the source 'nytimes' and was first published or seen on . It last changed over 40 days ago and won't be checked again for changes.

You can find the current article at its original source at http://www.nytimes.com/2012/10/17/business/global/17iht-google17.html

The article has changed 7 times. There is an RSS feed of changes available.

Version 3 Version 4
Europe Presses Google to Change Privacy Policy Europe Presses Google to Change Privacy Policy
(about 5 hours later)
BERLIN — European regulators on Tuesday threatened Google with fines or legal action unless it made it clearer to its customers what personal data was being collected from them and how it was being used. BERLIN — What does Google know about its users and how does it know it? European privacy regulators on Tuesday warned the company to clarify those issues or risk fines or other penalties by early next year.
In a letter to Google, the regulators stopped short of describing the company’s 10-month-old data collection policy as illegal. But it noted that Google did not appear to adhere to Europe’s approach to data collection, which requires explicit prior consent by individuals and that the data collected be kept at a minimum. In a letter to Larry Page, the chief executive of Google, 27 European data-protection agencies asked the company to modify its global privacy policy that governs dozens of Google online services including the flagship search engine, Android mobile phone apps and YouTube videos so that users have a clearer understanding of what personal data is being collected and can better control how that information is shared with advertisers.
The regulators couched their requests as “practical recommendations.” But when asked what regulators would do if Google did not accede and make changes, Jacob Kohnstamm, head of the Dutch data protection authority, said national regulators probably would take legal action to compel changes. Along with other Internet companies like Facebook and Microsoft, Google collects personal data, like the sex and age of users and their Web browsing histories, in order to tailor their services to individual users and also to sell ads.
“After all, enforcement is the name of the game,” Mr. Kohnstamm said. When Google introduced the privacy policy last winter, it described it as a way to streamline its use of personal data across a range of services that were each previously covered by separate privacy guidelines. And in keeping with European privacy law, Google said it was collecting the data only if users “opted in.” But opting in essentially became a requirement of using each of the services, by clicking the “I Agree” button before using the service for the first time, after the new policy went into effect.
The request was made at a news conference in Paris by the French regulator, known as CNIL, or the National Commission for Computing and Civil Liberties, which was enacted on behalf of all European data regulators. Analysts say the impact on Google’s business of accepting the regulators’ recommendations depends on whether customers readily accept having to opt into a more detailed privacy policy. If large numbers of users opt out, Google’s advertising revenue would suffer.
Google announced the new policy in January, billing it as a way to streamline and simplify the privacy practices it employed worldwide across about 60 different online services, and to introduce greater clarity for users European privacy regulators had expressed concern last winter about the new procedures and had asked Google to delay implementing them. After the company declined, the European Commission asked France’s privacy agency to take the lead on a legal analysis, which resulted in the warning letter Tuesday to Mr. Page.
Google informed customers of its services, which include Gmail, Google Maps and YouTube, of the changes until they took effect in March, requiring them to agree to them in order to access their accounts. The privacy regulators said Google provided users with incomplete disclosure about its processing and storage of the data, as well as insufficient control over how information from different Google services is blended to build detailed personal profiles. Google also makes it too cumbersome for users to block the collection of these data, the regulators said.
European regulators voiced their concerns almost immediately and CNIL conducted an inquiry that lasted semonths. “The new privacy policy allows an unprecedented combination of data across different Google services,” Isabelle Falque-Pierrotin, chairwoman of the French data-protection authority, said at a news conference in Paris. “We are not opposed to this, in principle, but the data could be employed in ways that the user is not aware of.”
Isabelle Falque-Pierrotin, the chairwoman of CNIL, said her agency was giving Google “three to four months” to respond to its concerns. Ms. Falque-Pierrotin, whose agency, called CNIL, conducted an investigation of the policy change on behalf of the other European Union data-protection authorities, said she would give Google “three to four months” to make changes. If the company refuses, she and other officials said, the data-protection authorities might take legal action or impose fines.
“If Google does not implement these recommendations, we will pass to a different phase, a phase of sanctions,” Ms. Falque-Pierrotin said. Google said it was reviewing the letter and an accompanying report from the data-protection authorities, but added that it was confident that the new policy respected European Union law.
Enforcement of privacy law in Europe remains a matter for national regulators. In France, CNIL has the legal ability to fine companies as much as €300,000, or about $390,000, for privacy breaches. But it remains unclear whether CNIL will levy a fine and whether other E.U. countries follow suit. “Our new privacy policy demonstrates our longstanding commitment to protecting our users’ information and creating great products,” Peter Fleischer, the Google global privacy counsel, said in a statement.
Google said in a statement that it believed that what it calls its privacy policy was legal. The letter to Mr. Page is only the latest addition to a growing list of regulatory headaches for Google. Antitrust officials at the European Commission are investigating whether Google has used its search engine to favor its own services and through preferential rankings to put competitors at a disadvantage. A similar inquiry is under way at the U.S. Federal Trade Commission.
“We have received the report and are reviewing it now,” Peter Fleischer, the Google global privacy counsel, said in the statement. “Our new privacy policy demonstrates our longstanding commitment to protecting our users’ information and creating great products. We are confident that our privacy notices respect European law.” David Vladeck, the F.T.C.’s director of consumer protection, met last week in Brussels with Ms. Falque-Pierrotin, said Cecelia Prewett, an F.T.C. spokeswoman. She declined to divulge what they discussed.
If adopted, the recommendations could have consequences on some of Google’s main businesses, which depend on consumer profiling for the targeting of advertising. On privacy, Google has been under growing scrutiny since it acknowledged in 2010 that it had collected private data on individuals when it took photographs for its Street View mapping feature. Regulators in several countries, including the United States and France, have fined Google in connection with this practice; criminal and civil investigations are still open in Germany.
Jeff Gould, the president of SafeGov, a group based in San Francisco representing companies that sell software and hardware to governments, said Google’s privacy policy is very similar to that used by Microsoft and Facebook. “There’s a collective concern being expressed by different regulatory agencies in many parts of the world about the use of information online,” said Joel Reidenberg, director of the Center on Law and Information Policy at Fordham University in New York. “As the trend goes this way, we can expect to see more of these kinds of concerns expressed and a decreasing hesitancy about taking action.”
“Their approach is that we can take anything we learn from you from our services to build a profile of a user to serve targeted ads,” Mr. Gould said in an interview. “My view is that is a completely legitimate model if you give the consumer the opportunity to opt out.” While European Union lawmakers are working on an overhaul of the bloc’s data-protection rules, with an eye toward updating them for the borderless era of the Internet, enforcement remains a matter for national regulators. In France, CNIL has the power to fine companies as much as €300,000, or about $390,000, for privacy breaches. In some countries, data protection agencies can bring criminal complaints; in others, it cannot.
Google’s current privacy policy requires users to accept it before being able to use the full range of services, Mr. Gould said. Given this fragmentation, analysts said it was striking that the national regulators, acting at the request of an advisory panel created by the European Commission, had come together to issue a joint letter to Google.
“The Europeans want Google to ask the user to give their consent explicitly and on a much more specific level, to permit the collection of data for targeted ads.” “On the one hand, this is the first time all the European data-protection agencies have acted together as a group to tell a company that its actions are unacceptable,” Mr. Reidenberg said. “On the other hand, there is a bit of a mixed message, because they are refraining from taking any immediate action.”
“If Google did that responsibly, I don’t think it would kill their business,” Mr. Gould said. “But that is the 64,000 Terabyte question.” Coordinating such regulations and enforcement across continents is even more difficult, especially when cultural differences intrude, like in the perceived greater attachment to privacy in Europe than in, say, the United States. But regulators and Internet companies say greater alignment is desirable at a time when digital communications zip across borders and companies like Google operate on an ever more global scale.
In the letter sent to Google, the European data regulators said Google’s new policy allowed the company to “combine almost any data from any services for any purpose.” Jacob Kohnstamm, chairman of the European Commission’s data-protection panel, said that regulators in Canada and some Asian countries had participated in the investigation, in an effort to give the inquiry an intercontinental scope. He and Ms. Falque-Pierrotin said the European regulators had also consulted with the F.T.C., though the U.S. agency did not sign the letter to Mr. Page.
“Google did not set any limits to the combination of data nor provide clear and comprehensive tools allowing its users to control it,” the letter said. In the letter, the European officials said Google’s new policy allowed the company to “combine almost any data from any service for any purpose.”
The regulators also noted that Google failed to tell the French investigators how long it kept certain kinds of data, despite being asked to. The regulators asked Google to give consumers more visibility over how their data is collected, used and combined, saying one possibility might be to create “interactive online presentations.” The regulators also chided Google for failing to specify how long it kept certain kinds of data, and urged the company to make it easier for users to “opt out” if they did not want their information gathered.
The group asked Google to make several specific changes to give consumers more awareness and control over their data, including an interactive online presentation of how the data is used. The regulators also said Google did not distinguish between data of different levels of sensitivity, saying the company attached the same importance to credit card numbers or the contents of a search query, for example. And they said so-called passive users of Google services that is, those who use a Google feature embedded in a third-party Web site often are provided with no information on Google’s data policies.
The regulators also asked Google to better explain the purposes for collecting data, and how data combined from its different services which include YouTube, a search engine and the Google Plus social network might be used. Jeff Gould, the president of SafeGov, a group in San Francisco that represents companies selling software and hardware to governments, said Google’s “approach is that we can take anything we learn from you from our services to build a profile of a user to serve targeted ads.”
It also called on the company to give people greater ability to opt out if they did not want their information used for a specific purpose. “My view is that is a completely legitimate model, if you give the consumer the opportunity to opt out,” he said.
The request to Google comes as European antitrust regulators separately are investigating whether Google has used its search engine to favor its own services and through preferential rankings to put competitors at a disadvantage. Analysts say Google needed to change its policy to keep pace with rivals like Apple and Facebook, whose services are more integrated than Google’s. Ms. Falque-Pierrotin countered that greater transparency could actually be a competitive advantage for Google.
The U.S. Federal Trade Commission is also preparing a recommendation that will ask the U.S. government to sue Google for its search engine practices. Google’s new privacy policy requires users to accept it before being able to use the full range of services, rather than approving individual uses of their data, as the European regulators would like. Whether this would dissuade them from using Google services is not clear.
In Europe, Google has been under fire since it admitted in 2010 that it had collected private data on individuals by secretly siphoning unencrypted Internet data that was broadcast from home Wi-Fi routers, as Google cars drove by to take photographs for its Street View online map business. “If Google did that responsibly, I don’t think it would kill their business,” Mr. Gould said. “But that is the 64,000-terabyte question.”
Google at the time attributed the collection of Wi-Fi data to a programmer’s error, but the computer engineer at the center of the project, who resided in California, has never publicly given his version of events. Last April, the Federal Trade Commission fined Google $25,000 for obstructing its investigation into the incident, although the regulator concluded that Google’s collection of Wi-Fi data, while intentional, was not illegal. Kevin J. O’Brien reported from Berlin.
In Europe, a criminal and a civil investigation into Google’s Wi-Fi data collection are still open in Germany, although most European countries have since dropped their complaints after Google apologized. In France, CNIL, which was the first European privacy agency to search the technology on Street View cars, fined Google €100,000, or $130,000, in 2011.
Mr. Kohnstamm, who also serves as chairman of the European Commission’s top privacy panel, called the Article 29 Working Group, said by telephone that privacy regulators in all 27 European Union countries, plus Canada and some countries in Asia, had participated in the CNIL inquiry and had endorsed the request to Google, which outlines areas for changes to improve protection of personal data.
Mr. Kohnstamm had asked Google in a letter on Feb. 2 to postpone its new privacy policy so European regulators could investigate its effects on privacy. But Google declined.
“We are hoping that this time Google will listen to us,” Mr. Kohnstamm said.
Eric Pfanner contributed reporting from Paris.