European privacy ruling has far-reaching implications for Google Apps in Europe

Jeff Gould by Jeff Gould, SafeGov.org
Monday, December 10, 2012

This October, the EU’s Data Protection Authorities (DPAs), led by France’s Commission nationale de l'informatique et des libertés (CNIL), issued a major regulatory ruling on Google’s controversial privacy policy. Recall that this policy is a document in which Google explains what it believes it is allowed to do with the personal information it gathers about users. Last March Google imposed a sweeping revision of the policy. The explicit justification of the new version was to grant Google the right to combine user data from all of its many services in order to deliver more accurate targeted advertising. While the tone of the EU ruling was polite and even deferential, its implications are more serious than has been commonly recognized. In particular, a little noticed paragraph suggests that the search firm’s Google Apps collaboration suite – its flagship offering in the European government and education markets – will be subject to even tighter privacy restrictions than Google’s consumer products such as Search or YouTube.

The 27 EU DPAs, associated in the so-called Article 29 Working Party, found that Google’s policy fails to comply with existing European privacy law, specifically the 1995 Data Protection Directive and the 2002 ePrivacy Directive, and asked Google to make broad changes to its policy. In particular, they found that Google does not respect EU law requiring that personal data be collected and processed only for limited purposes, that users be clearly informed of these purposes, and that they be given the right to opt-out. In the press conference that followed the presentation of the report, CNIL President Isabelle Falque-Pierrotin and Article 29 Group Chairman Jacob Kohnstamm gave Google a deadline of four months to make the required changes, failing which the DPAs will take legal action.

Initial coverage of the Article 29 Group’s ruling has focused on Google’s free consumer services. But the ruling’s most far-reaching implications concern Google Apps, a suite of email and office collaboration apps aimed at organizations. If fully applied, the ruling could effectively shut down deployments of Google Apps by European governments, schools and enterprises, at least until Google makes the changes the EU regulators are seeking. The reason stems from a brief paragraph buried in the middle of the report:

“For Google Apps end-users, the use of a Google Account is decided by the Google Apps customer (typically the company that employs the end-users): consent may therefore not be valid. Google should apply limitations to the combination of data across services and this combination should be restricted to the services included in the Google Apps offer.”

Under European law there are certain things an online service cannot do unless the user has expressly consented. For example, it may not data mine the user’s content for purposes of targeted ad delivery. Thus, when a customer organization imposes on its members (employees or perhaps students) the use of a cloud email service that relies on such data mining, the organization may not consent on the members’ behalf to the gathering and processing of their personal information. Only individuals can consent to such use of their data, if properly informed of the purposes for which the data is gathered and processed, and if allowed to opt-out.

In the case of Google Apps, the DPAs say that Google must limit the very thing which was the chief purpose of its revised privacy policy, namely the combination of user data across its services. Furthermore, they say, Google must especially avoid combining data from the services in Google Apps (primarily Gmail and Google Docs) with data from its ad-supported consumer services such as Search, YouTube, or Google+. In short, the EU DPAs insist that the collective service Google Apps must respect a higher bar for user privacy than the firm’s consumer services chosen by individuals.

Although the DPAs do not say so in their report on Google’s privacy policy, it is likely that they are also looking at similar consumer privacy policies from other firms that engage in online advertising such as Facebook and Microsoft. Both of the latter have published policies granting themselves the same broad rights as Google to combine user data from multiple sources in order to improve online ad targeting. However, it is worth noting that unlike Microsoft’s consumer services such as Bing or Hotmail, the software firm’s enterprise cloud service Office 365 – an email and collaboration suite aimed at the same government, school and enterprise customers as Google Apps – is governed by a separate privacy policy that includes a strong pledge not to data mine customer emails or otherwise exploit users’ personal information for advertising purposes.

While Article 29 Group ruling has implications for all organizations using cloud services (including giant corporations such as Spain’s BBVA bank, which recently signed up for Google Apps), it may have the most impact on governments and schools, which are particularly sensitive to privacy issues and regulatory requirements. In the U.S. the public sector has been the most enthusiastic early adopter of cloud email and document collaboration services. European governments and schools are at an earlier stage of cloud adoption than their U.S. counterparts, and they are likely to be all the more wary of adopting Google Apps until Google reaches a settlement with the Article 29 Group.

Is the Article 29 Group ruling now in danger of becoming a serious roadblock to adoption of cloud services by Europe’s governments, schools and enterprises? Not necessarily. If Google and the other big cloud providers are willing to make the changes to their privacy practices that the EU DPAs have politely but firmly requested – and there is no reason to think that these changes will break the business models or capacity for innovation of these providers – then the result could well be an acceleration of cloud uptake by both public and private sector organizations in Europe. Let us hope that Google and the European DPAs will rapidly reach a settlement satisfactory to all sides, and thus prove that careful government regulation and dynamic new market innovations such as cloud computing are not incompatible.

More information

Post a comment

Sign in to comment.

Not yet registered? Join the debate