Last week, the UK’s Information Commissioner’s Office or ICO revealed that it had asked Google to revise its privacy policy to conform to their Data Protection Act. The ICO’s action, along with similar requests made by data protection regulators in France, Spain, and Germany, puts increasing pressure on Google to provide more information and explicit opt-in for EU users. That is, if Google wants to do business in the EU.
In early 2012, Google simplified its privacy policies across all its service into a single terms of service agreement. This may have been good for web administration, but actually goes against core EU data protection and privacy principles. Unlike the US, the EU has a Data Protection Directive or DPD, which is essentially a template for laws in each of the 26 or so member nations. Anyway, the DPD requires explicit opt-in when a “data controller”–i.e., retailer, bank, credit card company, and especially online site– collects information from a consumer and processes it.
In the US, we’re just comfortable with checking off a single box that vaguely describes what is actually a massive number of legal clauses crafted by attorneys–so few of us click on the ToS link. In the EU, data protection regulators require opt-ins for each important use of personal data collected, so that consumers know and approve of what is being done with their data.
Google may be able to win their battle with the EU over the proposed change in the DPD to include a Right to be Forgotten–by the way, the UK’s ICO sides with Goggle on this one. But on the requirement for more descriptive privacy policies, Google will likely have to change the way they present their services. It will be interesting to see if this carries over to the US as well.
Image credit: GeographBot