News

Announcement

October 16, 2012

Letter to the French Data Protection Authority Regarding its Review of Google's Privacy Policy

The Privacy Commissioner of Canada has sent a letter to the French data protection authority, La Commission nationale de l’informatique et des libertés (CNIL), regarding its review of Google’s recently revised privacy policy.

October 11, 2012

Madame Isabelle Falque-Pierrotin
Presidente
CNIL
8, rue Vivienne
75002 Paris FR

Dear Madame,

I would like to offer my congratulations on the review carried out by the CNIL, on behalf of the Article 29 Working Party, into Google’s recently revised privacy policy.  The CNIL undertook a very thorough examination into a number of issues related to Google’s privacy policy within the context of the European Union’s privacy framework.  We commend both the CNIL and the Article 29 Working Party for its leadership on these issues.

Our approach to the privacy policy was to examine the privacy implications of the changes in the policy, namely, the lack of specific information relating to data retention, the implications of linking personal information of account holders across services, and the implications for Android users.  We did not conduct a formal investigation under the Personal Information Protection and Electronic Documents Act into these practices, but rather raised our concerns in an exchange of correspondence with the company.  We also expressed our views jointly with our Asia Pacific Privacy Authorities (APPA) colleagues.

Given our different approaches in this matter, I am unable to endorse the Working Party’s specific recommendations.  That said, I share your concerns with respect to Google policy of combining data, as well as its data retention and transparency practices generally.  Indeed, we asked Google earlier this year to include more information about its data retention practices in its privacy policy and to more fully inform account holders about how they can prevent the linking of their personal information.

In light of Google’s role as a leader in the information economy, I expect it to demonstrate a commitment to strengthening users’ trust and control, and to ensuring compliance with data protection legislation and principles.  We share the view that clarity, brevity, and simplified means for users to express their wishes are among the core privacy principles that all organizations need to adopt.  We join in your call for Google to commit publicly to the key principles of data protection.

We would also echo another point in your letter to Google.  We strongly encourage the company to consult with data protection authorities before it implements any new initiatives or expands any current practices that may impact on the privacy rights of users.  Such consultation should not merely be an “information session” in which we learn of new practices, but rather a true dialogue, in which we have time to provide thoughtful feedback before a new service rolls out or before an organization changes its terms of service.

I appreciate being kept informed of your progress to date.  Thank you again for the leadership you and the other members of the Article 29 Working Party have shown on this and many other emerging privacy issues. 

Sincerely,

Original signed by

Jennifer Stoddart
Privacy Commissioner of Canada

c.c.  Timothy Pilgrim

For further information see CNIL’s review (French only).