Wednesday, March 7, 2012

Google’s Privacy Policy Under Fire Before it Became Effective

On February 22, thirty-six attorneys general signed and sent a letter (through the National Association of Attorneys General) to Google objecting to its new privacy policy, scheduled to take effect on March 1. (See prior post about the provisions of the new policy.) The National Association of Attorneys General reports that the letter objects to Google's one-size-fits-all approach for all consumers of all of its various services. Specifically, the letter states, "Google's new privacy policy is troubling for a number of reasons. On a fundamental level, the policy appears to invade consumer privacy by automatically sharing personal information consumers input into one Google product with all Google products. Consumers have diverse interests and concerns, and may want the information in their Web History to be kept separate from the information they exchange via Gmail." Feb. 22, 2012 Letter. Indeed, the policy requires that consumers to "allow information across all of these products to be shared, without giving them the proper ability to opt out." Id.
 

The letter also points out that users of Android phones will be significantly impacted: "Even more troubling, this invasion of privacy is virtually impossible to escape for the nation's Android-powered smartphone users, who comprise nearly 50% of the national smartphone market. . . . For these consumers, avoiding Google's privacy policy change may mean buying an entirely new phone at great personal expense. No doubt many of these consumers bought an Android-powered phone in reliance on Google's existing privacy policy, which touted to these consumers that 'We will not reduce your rights under this Privacy Policy without your explicit consent.'" Id. (Footnotes omitted). So much for that promise.

The letter requests a response by February 29. It's unclear whether a response was provided.

EPIC v. FTC Lawsuit
 

In a related story, the Electronic Privacy Information Center filed suit on February 17 against the FTC to require it to enforce the Google Consent Order, thus barring the amended privacy policy from becoming effective. The court dismissed the complaint on February 24 for lack of jurisdiction over the FTC, but noted its own concerns about the terms of the privacy policy. EPIC filed an emergency appeal with the Circuit Court of Appeals for the D.C. Circuit on February 24, seeking argument before the March 1 effective date. Details about EPIC's efforts, copies of its pleadings and information about the FTC Chairman's interview on C-SPAN, the EU's objection to the privacy policy changes, and the attorneys' general's objections can be found on its Consent Order Page.
 

Note also that EPIC obtained (through a FOIA request) a copy of Google's Privacy Compliance Report that it filed with the FTC on January 26, 2012. EPIC has posted a copy on its Consent Order Page (see the heading entitled, "'FOIA Matters' - EPIC Obtains Google Privacy Compliance Report"). The Privacy Compliance Report describes the March 1 privacy policy changes, although the description is rather watered down and focuses on Google's efforts to notify its users that the change was coming.
 

Five Privacy Organizations Request Congressional Hearing
    

On February 24, five privacy organizations wrote to Representative Mary Bono Mack and Representative G.K. Butterfield of the House Energy and Commerce Committee, Subcommittee on Commerce, Manufacturing and Trade objecting to the privacy policy and requesting that the currently scheduled private hearing with Google to discuss the changes to the privacy policy be opened to the public. Feb. 24, 2012 Letter. These organizations were the Center for Digital Democracy (CDD), Consumer Watchdog, Consumer Federation of America (CFA) and U.S. Public Interest Research Groups. As of this writing, a hearing has not yet been scheduled, but continue to check the Committee's hearing schedule for updates.
 

Foreign Organizations Respond in Opposition to New Privacy Policy 

On February 27, 2012, the Commission Nationale de l'Informatique et des Libert├ęs (CNIL) – an independent commission in the French government charged with "ensuring that information technology remains at the service of citizens, and does not jeopardize human identity or breach human rights, privacy or individual or public liberties" – sent a letter to Google, reporting that it has preliminarily concluded that "Google's new policy does not meet the requirements of the European Directive on Data Protection (95/46/CE), especially regarding the information provided to data subjects." (The phrase "data subject" refers to "an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity." Art. 2, Definitions, (a))  
 

The Commission had been asked by the Article 29 Data Protection Working Party of the EU to take the lead on this investigation. (Google's response to the initial letter from the Article 29 Data Protection Working Party was sent on February 3, 2012, and basically argued that its policies had not changed, but were merely consolidated.)

Earlier, but for similar reasons, on February 23, 2012, the Australian Privacy Commissioner, Timothy Pilgrim wrote to Google on behalf of the Technology Working Group of the Asia Pacific Privacy Authorities expressing concern about the implementation of the new changes. Google responded on February 29.

News Coverage
    

Here are some samples of articles published in the past few days on this topic:

Google's Response Thus Far

Google has not posted any response on its press releases page, but that's not to say that Google hasn't responded directly to any of these organizations. At some point, I'm sure that Google will make some public statement – in some forum – that will continue to defend its decision to consolidate its privacy policies and the accumulated consumer data into one single data source, probably on the grounds that this is a benefit to consumers because it would allow Google to customize its services to their use.

Conclusions

It appears that the only recourse a consumer has if he or she does not want to participate in the new consolidation of their data currently spread over various Google services is to cancel all Google accounts. It could be very time-consuming to find replacement services (for instance, set up and transition to a new email account, remove YouTube video content and re-post somewhere else that does not require such a broad license to the host, port a blog from Blogger to WordPress (for instance) and publicize the new address). For anyone who uses these services for business or advertising/marketing purposes, the impact in both time and money – and perhaps goodwill developed from a loyal following – could be significant to transition to new providers. As a result, perhaps it's not really a valid "choice."