Of Men and Mice: Should the EU Data Protection Authorities’ Reaction to Google’s New Privacy Policy Raise Concern for the Future of the Purpose Limitation Principle?

Abstract

On 24 January 2012, Google publicly announced the consolidation of its existing privacy policies covering over 60 of its different services into one main privacy policy1. The changes were presented as an effort to “integrate [its] different products more closely so that [it] can create a beautifully simple, intuitive user experience across Google” as well as a reaction to feedback from global regulators, which had been calling for shorter, simpler privacy policies. The new policy was due to come into effect on 1 March 2012. Google’s announcement sparked an almost immediate reaction from EU data protection regulators concerned what the changes couldmean for internet users given Google’s dominance within the EU not only of the market in online search but also in other online sectors. On 2 February 2012, the EU’s Article 29 Working Party wrote to Google asking it to delay the changes until the data protection implications could be checked2. It argued that “given the wide range of services [Google] offer[s], and popularity of these services, changes in [its] privacy policy may affect many citizens in most or all of the EU member states”. TheWorking Party also informedGoogle that it had asked the French data protection authority, the Commission Nationale de l’Informatique and de Liberte (CNIL), to take the lead in reviewing the compliance of Google’s new policy with the EU data protection framework. Google refused to delay the introduction of the new policy, arguing that it had extensively prebriefedEUdataprotectionauthorities on the changes prior to notifying them to Google account users, and had not been told by any EU regulator that any sort of pause would be appropriate3. However, on 27 February 2012, the CNIL wrote4 to Google confirming that after a preliminary investigation it had come to the conclusion that the new policy did not meet the requirementsof theDataProtectionDirective5. It criticizedGoogle for consulting someEUdata protection regulators but not others and for failing to give even those regulators that it consulted the opportunity to provide constructive feedback. Like theWorking Party before it, it called on Google to delay the implementation of the new policy until it had completed its full analysis.However, Google refused this request and the new policy came into force on 1 March 2012 as previously announced. In its letter to Google, the CNIL had raised particular concern about the lack of transparency on Google’s part about its processing activities and Google’s claims that it will combine data across services. Although, the new policy did not specify whether or not this right to combine information also applied to data already held by Google services before thenewpolicy came into force, it canbeassumed that this was Google’s intention. Under Article 6(1)(b) of the Data Protection Directive personal data can only be “collected for specified, explicit and legitimate purposes and not fur* Judith Rauhofer is Lecturer in IT Law, University of Edinburgh; Judith.Rauhofer@ed.ac.uk.