ICOMP

January 2012, Google announced that it would change its privacy policy to increase the ways in which it combines the personal data of users across its vast array of services. Within days, the Article 29 Data Protection Working Party (Working Party) of European data protection agencies asked Google to delay the roll-out of the policy while it could be checked for consistency with European privacy law.  Google refused to wait and on 1 March, Google put its new policy into effect.

The French privacy regular CNIL then proceeded to investigate Google on the Working Party’s behalf.  Over the course of the next eight months, the CNIL asked Google for details of its privacy practices, including what data the company was collecting from consumers and how it was combining and using that data.  Google delayed responding to the CNIL’s questions and in some cases simply refused to answer.

On 16 October 2012, the Working Party issued its long-awaited letter (with accompanying appendix) highlighting the illegal violations of privacy associated with Google’s privacy policy. The letter is signed by all 27 of Europe’s Data Protection Agencies and roundly condemns the lack of information provided before Google integrated all consumer data across the company’s platforms.

In summary, the Working Party’s conclusions are as follows:-

• Google “misled users” about the full extent of its practices

• Google combines “vast” quantities of user data to build profiles of its users — but “lacks a legal basis” for doing so

• Google’s opt-out and user control mechanisms are “ineffective

• Google collects data from citizens who never use Google services and does so without their knowledge or consent

• Google’s cloud-based “Google Apps” collects and combines data about employees without their “valid consent”

For a more comprehensive summary of the Working Party’s findings, please click here.

The breadth and depth of the coverage this news received in the world’s media only serves as a testament to how important consumers and competitors alike consider this issue to be. Outlets across the globe highlighted the shortcomings in Google’s privacy framework including The Financial Times, The Telegraph, The Independent, The BBC, Le Figaro, Die Welt, The Wall Street Journal, IHT and a 10-page cover story in Der Spiegel to name but a few. ICOMP spokesperson Auke Haagsma was featured on The BBC, Bloomberg and in The Guardian calling on Google to tell consumers what data it is collecting and what it is being used for and Big Brother Watch Director, Nick Pickles was also widely quoted describing how “Consumers have been kept in the dark about how much data Google collects and what happens to that data… Google’s new privacy policy only further disguised what really happens when you use their services.”

Regulators across Europe, including the EPP Group the UK Information Commissioner’s Office and various MEPs also commented on the news. Vivian Reding, EU Commissioner for Justice commented that the Working Party’s findings “confirm that some companies simply don’t take privacy issues as seriously as their share price.” Expert commentators the world over also rallied to support the announcement including Consumer Watchdog’s John Simpson, Attorney, Professor at Harvard Business School Ben Edelman and privacy advocate Simon Davies who remarked “The reality is that the letter is an iron fist in a velvet glove.Although camouflaged with words such as ‘challenge’ and ‘request’ the letter clearly opens the litigation terrain to national regulators who will be doing more than ‘requesting.’ Article 29 has created an evidence-based foundation for all regulators to commence legal proceedings.”

Google’s initial response would have been baffling had it not been rehearsed to the point of inevitability. Privacy Counsel, Peter Fleischer asserted that Google is  “confident [its] privacy notices respect European law”, a reply which begs the question whether Google have even afforded last week’s letter the dignity of reading it.

What should be borne in mind as regulators await a more substantive response from the search giant is the extent to which this violation is linked to its dominant market position. As Law 360 explains: “Google’s monopoly position is largely due to its unrivalled control of user personal data, which in turn allows it to demand a monopoly premium price from online advertisers. And it is precisely through violating user privacy that Google in turn gains that control of user data. So as competition authorities in Europe and the United States begin to think about antitrust remedies, they should be cribbing notes from their privacy counterparts.”

In other words, competition authorities should think carefully about implementing stronger user privacy protections as part of any demand for remedies and potential settlement with Google.

Regards,

The ICOMP Secretariat

On October 16, 2012 the EU’s Article 29 Working Group (ART29WG) published a letter and accompanying appendix to Google CEO Larry Page concluding that Google is not in compliance with the 1995 EU data protection directive in any member state. It is a welcome confirmation of not only the illegality of the company’s privacy policy implemented in March this year, but another indication of repeated obstruction on the part of Google and its constant desire to sidestep regulation that impinges on its ability to harvest data from European citizens to feed its advertising business.

The letter outlines twelve areas in which it expects Google to rectify it’s privacy policy and notes that “combining personal data on such a large scale creates high risks to the privacy of users” and that “Google’s answers have not demonstrated that your company endorses the key data protection principles of purpose limitation, data quality, data minimization, proportionality and right to object. Indeed, the Privacy policy suggests the absence of any limit concerning the scope of the collection and the potential uses of the personal data.”

ICOMP believes that robust action is needed now to defend not only the individual rights of consumers, but to restore trust in the wider online ecosystem which demands fair and transparent use of consumer data. Google’s willful disregard of clear privacy rules, threaten to scare consumers away from all online activity.

To recap, earlier this year, Google announced plans to introduce a new privacy policy that would allow the company to combine nearly all personal data collected across dozens of different services and use that data to sell targeted advertisements. Essentially, a user signing into YouTube could have data on their video searches combined with key-words extracted from their Gmail conversations and location data from an Android phone to build a very precise picture of their habits, preferences and movements. With over 60 ‘services’ Google’s users will undoubtedly have seen their data co-mingled and used to target advertising. The events that followed saw Google implementing the policy despite requests from both the Working  Group and consumer group BEUC (European Consumers Organisation) among others to delay the roll out, as well as the company’s late and incomplete submission of questionnaires to the Commission Nationale de l’Informatique (CNIL), the French data protection authority asked by the ART29WG to investigate Google’s alleged privacy breach, and even questioning its authority.

The letter has been signed by 27 European Data Protection Agency’s (DPAs) as well as by DPAs from Lichtenstein and Croatia.  In addition, nine other national authorities — from Australia (federal and provincial DPAs), Hong Kong, Macao, Mexico and British Columbia — endorsed the findings. It confirms that: “As data protection regulators, we expect that Google takes the necessary steps to improve information and clarify the combination of data, and more generally ensure compliance with data protection laws and principles.”  It is clear from this that Google is not in compliance with the EU data protection directive privacy laws and therefore contravenes riles in all twenty-seven EU countries (plus the three additional signatories in the European Economic Area).

Each DPA will have to decide what sanctions will need to be applied in each jurisdiction and whether there is a need for additional remedial steps.

Clearly, there is a need for appropriate fines to be levied in each of the countries where the law has been broken. However, as seen in the past fines are essentially meaningless for a behemoth such as Google and a fine does not proactively stop this sort of transgression reoccurring, nor does it structurally help those whose privacy has been invaded.

ICOMP applauds the Data Protection Authorities’ decision to ask Google to give consumers more information over how their browsing history will be used, and strongly encourages European DPAs that they must go one step further and request that Google implement real, robust corrective remedies to help re-establish trust within the next few months;

• Addressing the unlawfully acquired data – deleting and providing proof of deletion of customer data gathered under this illegal privacy violation
• Requiring Google to revert  to its previous policy whereby consumers had to give consent for their data to be collected for each Google service and not a single consent covering all Google services
• Establishing a robust monitoring and reporting mechanism to ensure that both of the above take place
• Establishing greater means for users to enforce their right to require Google to provide them with a copy of the data held on them by Google so that individual consumers can be sure of what data Google has on them, and how it is being used

Google has positioned itself as the internet users’ champion; a free for all service whose offering is so popular it has entered the common lexicon and has given it its 95% dominance in Europe. This, the company believes, allows it to turn its back on regulators, governments, consumer organisations and treat its own consumers with disdain. However any organisation that positions itself in that way must accept the obligation it puts itself under by following, and not continually obfuscating, correct and proper regulatory processes. ICOMP calls on all member DPA’s to follow through on its commitment in ensuring that not only are the twelve areas enforced but regularly monitored. This company believes it is above the law. It falls on the law-makers to make it fall into line once more.

Regards,

The ICOMP Secretariat

Today , in an unprecedented move, 27 of Europe’s privacy enforcement agencies signed a letter to Larry Page demanding Google takes action over its treatment of personal data gathered from citizens across Europe, citing “several legal issues with the new privacy policy and the combination of data”.

The letter confirms what ICOMP and many others feared – that Google’s actions and responses to the enquiry “Have not demonstrated that your company endorses the key data protection principles of purpose limitation, data quality, data minimization, proportionality and right to object . Indeed, the [Google] Privacy policy suggests the absence of any limit concerning the scope of the collection and the potential uses of the personal data.”

ICOMP believes the investigation has shone a light on Google’s business model which depends on amassing as much data on individuals as possible in order to support its advertising business.  The combination of Google’s dominance and scale, plus the co-mingling of data from numerous services without the express consent of the individuals involved presents a massive risk to personal privacy.  This has now been confirmed as contravening privacy regulations in Europe and likely many other jurisdictions.

Europe’s privacy regulators suggested a number of specific remedies that effectively require Google to unwind its ability to illegally combine data and to offer a truly informed choice to its users. While this strikes to the heart of Google’s desire to enrich its trove of personal data, ICOMP hopes that Google will engage quickly, openly and fully with these requirements and so come back into compliance in this crucial area.

Furthermore, ICOMP urges all 27 EU privacy enforcement agencies who signed the letter and other privacy enforcers around the world to ensure that personal data gathered and combined in this way since the new privacy policy was implemented in the face of their opposition, is deleted so as to present no further risk to the consumer. A comprehensive monitoring oversight regime should be established to not only ensure this is the case, but also to police Google’s compliance with the other remedies suggested in the letter.

The Initiative for a Competitive Online Marketplace (ICOMP) is delighted to announce Bottin Cartographes, the French digital mapping company, as our latest Council Member.

Founded in 1992 Bottin Cartographes provides detailed cartographic solutions to both businesses and consumers. The company provides these solutions in print, on the web or customised for mobile devices.

ICOMP looks forward to working together with Bottin Cartographes in our campaign for a free, open and competitive online marketplace.

For further information about Bottin Cartographes please visit http://i-comp.org/blog/yB

Regards,

The ICOMP Secretariat

Many in Europe may not have heard about Buscapé.  We are the leading digital commerce platform in Latin America and members of ICOMP since [May] 2012.

One company which has certainly heard about Buscapé is Google.  As is pretty common these days, we have issues with Google and have been taking legal proceedings against Google in the 18th Civil Court of the São Paulo Central for loss and damage we have suffered from Google’s practice of discriminating against its competitors with respect to search rankings. We have also filed a complaint against Google with the Brazilian competition authority, the CADE.

The Brazilian Court proceedings have attracted attention for a couple of reasons.  The first of these is that Google seems to be placing great reliance on a preliminary finding by the Brazilian court that Google does not possess market power, and is relying on that to suggest that antitrust enforcers worldwide should do the same.

In reality it seems highly improbable that a ruling of a fairly junior and non-specialised Brazilian court[, which is already under appeal,] will carry a great deal of weight with sophisticated antitrust agencies — including DG Competition, the U.S. Department of Justice, the U.S. Federal Trade Commission, and the French competition authority — who have already found, after extensive investigations, that Google possesses market power and for whom the key question is whether Google has abused that market power.  The complaint filed with the CADE continues in parallel with the Brazilian court proceedings.

The second interesting issue concerns Google’s attitude to the judiciary in Brazil, which is both symbolic and symptomatic of its relationship with other authorities.

The civil court in Brazil stipulated, at the request of Google, that the court proceedings should be kept confidential by the parties to the case – ourselves and Google.  In breach of this stipulation, a translation of the preliminary ruling was posted on Scribd and leaked to Search Engine Land, which ran a misleading and highly one-sided story.  Amusingly for seasoned Google-watchers, it appears that metadata in the document posted on Scribd reveals that the author was Fabiana Siviero, Google’s Legal Director in Brazil.  The Brazilian court may take a more jaundiced view.

There is, of course, a serious point here.  Google, by failing to acknowledge that major antitrust authorities disagree with key aspects of the Brazilian court’s holding, has both misrepresented the significance of the Brazilian ruling to the many ongoing antitrust investigations. It also appears to have acted in breach of a Brazilian court stipulation.  Many will not be surprised by such an attitude.  Nonetheless, it is important to bear in mind both when listening to Google’s protestations of innocence and for regulators or courts seeking to place limits on how Google behaves.

Rodrigo Borer

Buscapé