Privacy Commissioners Raise Good Points in Their Letter to Google
Last week, the Privacy Commissioners of Canada, France, Germany, Israel, Italy, Ireland, the Netherlands, New Zealand, Spain and the United Kingdom sent a letter to Google revisiting the privacy issues raised by Google’s introduction earlier this year of Google Buzz. Readers will recall that when Buzz was rolled out, Google automatically assigned Gmail users a network of “followers” from among users’ most frequent Gmail correspondents. This was done without adequately informing Gmail users about how this new service would work, and without providing sufficient information that would allow informed decisions. As stated in the Privacy Commissioners’ letter: “This violated the fundamental principle that individuals should be able to control the use of their personal information.”
The Commissioners’ April 19, 2010 letter was eclipsed in the news by the Icelandic Volcano that caused the absence of the some of the Privacy Commissioner signatories at the Washington, DC Press Conference to discuss the letter and by the simultaneous release by Google of a report on government requests for personal information.
While the letter did not make the front page of newspapers, and while the buzz over the privacy missteps by Google in introducing Buzz may be old news — Google accepted responsibility when it happened, saying it was sorry, and revised the privacy settings — the fundamental issues raised by the Privacy Commissioners in their recent letter deserve further attention. In writing to Google, the Commissioners said:
We therefor call on you, like all organisations entrusted with people’s personal information, to incorporate fundamental privacy principles directly into the design of new online services. That means, at a minimum:
• collecting and processing only the minimum amount of personal information necessary to achieve the identified purpose of the product or service;
• providing clear and unambiguous information about how personal information will be used to allow users to provide informed consent;
• creating privacy-protective default settings;
• ensuring that privacy control settings are prominent and easy to use;
• ensuring that all personal data is adequately protected, and
• giving people simple procedures for deleting their accounts and honouring their requests in a timely way.
The Dutch Commissioner observed that the Google letter could be the “last warning” to Google and other online companies with respect to the privacy principles the letter advanced. So, a discussion of data minimization, transparency, default privacy-protective settings, prominent controls, data security and prompt account deletion clearly is in order for companies launching new online services or proposing to change existing services. Just saying “sorry” after a misstep, as Google did with Buzz, will no longer satisfy privacy watchdogs, that seems clear.