When small and mid-size companies start expanding their apps or web presence into Europe, they need to start thinking about EU data protection laws. It’s tempting to take a look at what one or two of the “big guys” do about EU data protection compliance and think that whatever the big guys do in Europe must be good enough. But the ongoing saga between Google and the EU’s data protection authorities shows that this approach shouldn’t be adopted uncritically.
In the latest Google EU privacy development, Google has signed an undertaking (binding commitment) with the UK’s data protection office (the ICO) to make a number of changes to its privacy policy. Google has been in dialogue with EU data protection offices both at the country level and through the Article 29 Working Party since Google adopted a unified privacy policy across its products and businesses in 2012. While the ICO has recognized that Google has made progress since 2012, the ICO has recently determined that “further improvements” are needed. Google has agreed to a number of specific requirements, including:
- Making it easier for users to find information about Google’s privacy policy.
- Describing its data processing activities more clearly in its privacy policy, including clarifying the types of information that it processes, the purposes, and how users can exercise their rights.
- Providing “clear, unambiguous and comprehensive information” regarding its data processing,” including an “exhaustive list of the types of data . . . and purposes.”
- Providing more information about its use of anonymous identifiers (a next-generation tracking/behavioral profiling technology that’s being developed and may eventually replace cookies).
- Educating its employees better concerning notice and consent requirements.
- Making sure that users are equally protected regardless of what device they are using (mobile phones, tablets, desktops, and any new devices that are invented).
Google has committed to putting these changes into effect by June 30, 2015. In the meantime, Google’s undertaking provides a useful spotlight on the areas of EU data protection compliance that the ICO (and other data protection offices) think require significant attention.