Google faces UK deadline to clean up on privacy
- Summary:
- Google has been playing fast and loose with privacy for a very long time. Now, UK regulators have set a deadline of 30the September for Google to deliver on tis 2008 transparency promise. So far, there is no sign it plans to conform.
Reports are emerging that Google is in fresh trouble with UK regulators on its privacy policies. TheNextWeb notes that:
UK watchdog Information Commissioner’s Office (ICO) has given Google until September 20 to amend its privacy policy, deeming that it raises “serious questions” about compliance with the UK data act.
In a statement, ICO said it has worked with other members of the Article 29 Working Party, made up of other 27 data protection authorities from across Europe, and explained its beef with Google’s privacy policy:
In particular, we believe that the updated policy does not provide sufficient information to enable UK users of Google’s services to understand how their data will be used across all of the company’s products.
The watchdog confirmed to TechCrunch its three main areas of concern — namely that Google needs to provide more information about how it processes users’ personal data; that Google needs to inform users specifically what their personal data is being used for so they fully understand the implications of using Google’s services; and that it must inform users when their personal data is being retained in a way they might not expect.
An old problem coming home to roost
In case you're wondering if this is a new topic given fresh impetus by the PRISM revelations and Google's part in that saga, you'd be wrong. Back in 2008 (yes - more than five years ago), I wrote in a piece entitled Google's obfuscation on privacy:
There are slightly different policies covering each type of service with which Google users engage. Just looking at the [privacy policy] page makes me go 'What the heck?'
Even further back, in 2007 - almost six years ago - I wrote a piece entitled Google's inconsistent service policies where I outlined some of the many ways in which Google's policies are inconsistent with one another. If you peruse the links you'll see that nobody cared. At the time, I frequently found myself on the wrong end of the wrath of analysts who were insistent that whatever the problems, it didn't matter.
I never subscribed to that point of view, preferring to see it as a mark of arrogance that any one company should see fit to play fast and loose with our privacy.
Those who defend this position point to the many good things that Google gives us. All of that is true and I am genuiney grateful that Google has done so much to open up the world to so many people and created disruptive technologies like GMail. But...in light of recent revelations, the UK position is easy to understand. Still others sneer at what they see as Europe's retarded position on this topic. I wonder if those same voices are so vocal today.
These problems were echoed at the recent Cloud World Forum where Cloud Industry Forum rep Jessica Barry noted that (among other things) attendees were asking:
“This [cloud service provider] CSP claims to only hold data in the EU, but the EU has over 25 states – which one has my customer information?”
“Does the CSP have support staff in the UK or will they be accessing my system and data from other countries?”
Why doesn't Google comply?
To date, Google has done very little to put its house in order. Back in 2008, it point blank refused to comply with US requests. Why? Those who take on giants like Google cannot make a serious dent in Google's financial war chest. In 2011, France slapped Google with a fine of what was then a record of €100,000 ($140,000.) If Google doesn't comply with UK law then the worst case scenario is another slap - this time it would be £500,000 ($750,000).
These are drops in the ocean from Google's perspective. In order to bring the company to heel, multiple countries would have to impose sanctions running billions of dollars to make Google sit up and take notice.
Adverse impact
What Google may not realize is that by continuing with sloppy policies, it hurts everyone. There is plenty of demand for cloud services of the kind Google anchors. But if fresh services exploit say - Google Maps - then are they compliant? Could an otherwise perfectly decent service find itself running foul of compliance and regulatory difficulties? If so then everyone loses as the pace of innovation stalls.
Others are taking notice of the hardening EU position and realizing that the incremental cost of setting up in Europe is far outweighed by the potential loss of business. Salesforce.com plans to open a new data center in Germany. NetSuite is considering a similar move. Amazon has established a data center in Ireland. SAP has data center facilities in Germany.
As an aside, if you check Google's current privacy policy page you might notice that references to Google's commitment to transparency has gone. 'Do no evil' anyone?
Image credit: Den Howlett at ZDNet
Featured image credit: © Minerva Studio - Fotolia.com
