European Union privacy regulators want Google to make its privacy policies easier to find and understand, with exhaustive lists of what data it holds and processes, in order to comply with EU law, they told the company this week.
Google received the package of recommendations from the Article 29 Working Party (WP29), an umbrella group for European data protection authorities. While WP29 has no power to sanction the company, its members have imposed fines in a number of cases following Google’s 2012 changes to its privacy policy, which several national privacy regulators found breached EU rules.
WP29’s recommendations are common guidelines for complying with national privacy laws, it said in a letter to Google published Thursday.
The group could extend the guidelines to apply to the whole industry at a later date, it said.
The guidelines are just one way the company could comply with the law, and are not compulsory, but neither do they pre-empt enforcement actions by national authorities, the WP29 said, adding that it remains open to discussing any other measures that Google would propose to address the legal requirements.
Google plans to do just that. “We’ve worked with the different data protection authorities across Europe to explain our privacy policy changes. We’re always open to their feedback and look forward to further discussing their suggestions in detail,” a Google spokesman said in an email.
The data protection authorities want Google to make its privacy policy immediately visible and accessible from each service landing page, and provide an address at which users can contact the company to exercise their rights.
The privacy policy should have clear, unambiguous and comprehensive information regarding data processing, they said, including an exhaustive list of the types of personal data processed.
In case that should prove too much information for some, WP29 also suggested personalizing the privacy policy for authenticated users, showing them only the data processing it is performing on their data.
“For example, for a user of Google Search, Gmail and Google Display Network it would be possible to present only information about those services in a dedicated tool demonstrating how the user’s data are combined to deliver these services,” it said, adding that this personalized privacy policy could be extended to all users based on cookie
information or other credentials already used by Google to identify users.
In order to allow users to control the use of their personal data, Google must also provide them with more elaborate tools to manage their personal data and to control the usage of their personal data between all Google services, WP29 said. This could be done by making the current dashboard more accessible and including all Google services in that dashboard.
No deadline was set for Google to respond to the suggestions. The WP29 is considering issuing guidance on specific issues to the entire industry at a later stage.