We all know the basics: when you sign up for a Google account you provide valuable personal information that allows hardworking people at the company to build a profile of you. This will include your age, your interests, your contacts and much more. You trade your data for an easy ride on the internet.
And, as we all know: Google doesn’t do evil.
But early last week privacy regulators in Europe smacked Google hard, suggesting the way the company handles users’ data is in breach of European data protection law.
The regulators, led by France’s national privacy watchdog CNIL, reviewed Google’s privacy policy following changes made in March this year to consolidate product-specific privacy policies for more than 60 products (such as YouTube and Gmail) into one broad policy.
Fixing the problem
As part of its review, CNIL asked Google to provide detailed information about its data-protection practices. The regulator characterised the company’s responses as “incomplete and approximate”.
CNIL representatives noted that Google refused to provide information about how long it keeps users’ personal data, and that:
the privacy policy [of Google] suggests the absence of any limit concerning the scope of the collection and the potential uses of the personal data.
Furthermore, CNIL representatives suggested users are:
unable to determine which categories of personal data are processed for this service, and the exact purposes for which these data are processed.
Quite simply, we are transparent to Google but Google isn’t transparent to us.
Laying down the gauntlet
The regulators have requested Google expressly commit to EU privacy principles, to respect EU policy – which will soon have a statutory basis – on consent.
CNIL representatives [suggested](The regulators said Google should avoid excessive collection of data and not retain data indefinitely, and that users should be able to choose how, and if, their personal information is used.
Google should “take effective and public measures to comply quickly and commit itself to the implementation of these recommendations” – if it doesn’t act within “months”, it could face action at a national and whole-of-Europe level, potentially involving financial penalties, reputational damage and even restrictions on international data transfers.
Microsoft
Google isn’t alone. We can expect similar condemnation following last week’s policy changes over at Microsoft.
This is somewhat ironic because Microsoft has previously warned consumers that Google does not care about their privacy.
The changes made by Microsoft are virtually the same as those adopted by Google earlier this year – that is, the combination of policies for many products (such as Hotmail and SkyDrive) into one broader “services agreement”.
(Somewhat confusingly, this services agreement will sit alongside a separate privacy policy.)
Previously, Microsoft didn’t draw on user information from its free services to “enhance” other services … unlike Google. But the new services agreement allows Microsoft to do so – to scan email and instant messages as the basis for targeted advertising, for instance.
It’s difficult for specialists, let alone ordinary users, to make sense of overlaps, contradictions and omissions in the overall services agreement, the broader privacy policy and the service-specific policy statements.
Which raises a question: if users can’t even understand what they’re agreeing to when they use a service, have they really agreed?
The significance of consumer activism and the involvement of legislators was illustrated by Microsoft’s announcement this week that it will change its policy to explicitly inform US consumers that it will not use personal information collected from users of some Microsoft products to produce or promote targeted online advertising.
That change follows criticism by US federal representative Markey, who is unimpressed by inconsistencies between what the agreement allows Microsoft to do and Microsoft’s promises to be good … more good than Google.
The Australian angle
So where does Australia stand on issues of transparency in dealing with corporations such as Google and Microsoft?
The federal government has recurrently emphasised its commitment to improved privacy protection, most recently in promoting a discussion paper regarding mandatory reporting of data breaches.
But Australia’s national privacy watchdog, the Office of the Australian Information Commissioner (OAIC), is yet to take any action against Google or Microsoft.
We’re also still waiting on a coherent proposal for a privacy tort. The tort provides scope for people to take legal action when their privacy is invaded and potentially gain compensation for psychological or other injury. It recognises that protection from that invasion is fundamental in liberal democratic states.
To state the obvious: we shouldn’t, by extension of living in Australia, be subject to online “data plunder”. The government and regulators need to address bad practice by Google, Facebook, Microsoft and other tech giants.
A way forward
We know many large corporations (such as Google and Microsoft, and others such as Facebook) are gathering and retaining large amounts of personal data provided by Australians.
But what, exactly, are they doing with that data?
Regulators need to help users on that front, encouraging providers to act as custodians rather than data owners.
Australian agencies should be encouraging that shift. A good first step would be to follow the European example and investigate faceless entities who know so very much about us.