We all know the basics: when you sign up for a Google account you provide valuable personal information that allows hardworking people at the company to build a profile of you. This will include your age, your interests, your contacts and much more. You trade your data for an easy ride on the internet.
And, as we all know: Google doesn’t do evil.
But early last week privacy regulators in Europe smacked Google hard, suggesting the way the company handles users’ data is in breach of European data protection law.
Fixing the problem
As part of its review, CNIL asked Google to provide detailed information about its data-protection practices. The regulator characterised the company’s responses as “incomplete and approximate”.
CNIL representatives noted that Google refused to provide information about how long it keeps users’ personal data, and that:
Furthermore, CNIL representatives suggested users are:
unable to determine which categories of personal data are processed for this service, and the exact purposes for which these data are processed.
Quite simply, we are transparent to Google but Google isn’t transparent to us.
Laying down the gauntlet
CNIL representatives [suggested](The regulators said Google should avoid excessive collection of data and not retain data indefinitely, and that users should be able to choose how, and if, their personal information is used.
Google should “take effective and public measures to comply quickly and commit itself to the implementation of these recommendations” – if it doesn’t act within “months”, it could face action at a national and whole-of-Europe level, potentially involving financial penalties, reputational damage and even restrictions on international data transfers.
Google isn’t alone. We can expect similar condemnation following last week’s policy changes over at Microsoft.
This is somewhat ironic because Microsoft has previously warned consumers that Google does not care about their privacy.
The changes made by Microsoft are virtually the same as those adopted by Google earlier this year – that is, the combination of policies for many products (such as Hotmail and SkyDrive) into one broader “services agreement”.
Previously, Microsoft didn’t draw on user information from its free services to “enhance” other services … unlike Google. But the new services agreement allows Microsoft to do so – to scan email and instant messages as the basis for targeted advertising, for instance.
Which raises a question: if users can’t even understand what they’re agreeing to when they use a service, have they really agreed?
The significance of consumer activism and the involvement of legislators was illustrated by Microsoft’s announcement this week that it will change its policy to explicitly inform US consumers that it will not use personal information collected from users of some Microsoft products to produce or promote targeted online advertising.
That change follows criticism by US federal representative Markey, who is unimpressed by inconsistencies between what the agreement allows Microsoft to do and Microsoft’s promises to be good … more good than Google.
The Australian angle
So where does Australia stand on issues of transparency in dealing with corporations such as Google and Microsoft?
But Australia’s national privacy watchdog, the Office of the Australian Information Commissioner (OAIC), is yet to take any action against Google or Microsoft.
We’re also still waiting on a coherent proposal for a privacy tort. The tort provides scope for people to take legal action when their privacy is invaded and potentially gain compensation for psychological or other injury. It recognises that protection from that invasion is fundamental in liberal democratic states.
To state the obvious: we shouldn’t, by extension of living in Australia, be subject to online “data plunder”. The government and regulators need to address bad practice by Google, Facebook, Microsoft and other tech giants.
A way forward
We know many large corporations (such as Google and Microsoft, and others such as Facebook) are gathering and retaining large amounts of personal data provided by Australians.
But what, exactly, are they doing with that data?
Regulators need to help users on that front, encouraging providers to act as custodians rather than data owners.
Australian agencies should be encouraging that shift. A good first step would be to follow the European example and investigate faceless entities who know so very much about us.