Google's "privatised surveillance" breaks Dutch law

The Dutch Data Protection Authority has found Google to be breaking local laws with its practice of combining users’ personal data across its numerous web services.

The authority has asked Google to attend a hearing and will then decide whether to take any enforcement measures.

“Google spins an invisible web of our personal data, without our consent. And that is forbidden by law,” Dutch DPA chairman Jacob Kohnstamm said in a statement.

Changes to Google’s privacy policy made in March 2012 state that the company can aggregate data from across services for purposes including website analytics, the delivery of personalised ads and the personalisation of services.

But the authority’s report finds that Google “does not adequately inform users about the fact that it combines personal data from different services”, as required by Dutch law.

It states that Google has “failed to put adequate safeguards in place to ensure that the combining of data is strictly limited to what is necessary in the context of the legitimate purposes and that the data subject’s right to protection of their privacy prevails”.

A key finding of the report, and one which could have implications for other markets, is that Google has failed to ensure that its users are giving unambiguous consent for their data to be aggregated. The company’s argument that people using its services are bound by its ToS - and that this represents the giving of consent - does not hold water, the report says.

“It is evident from the legislative history that unambiguous consent cannot be obtained through general terms of service ... Consent - unambiguous or otherwise - [also] requires the information to be specific and the data subject to be informed.”

The authority’s findings are influenced by the fact that Google services are so ubiquitous in the Netherlands. The report states that it is “almost impossible” for a Dutch web user not to interface with Google.

Google search has a market share of over 90%, its Android OS captures 69% of the nation’s smartphone market and Dutch web users would be hard pressed to avoid the more than 2 million websites worldwide that use Google advertising cookies.

IBRS advisor Guy Cranswick expects Google’s sheer scale to play an increasing role in its tussles with international regulators. “Politicians are getting wise, after the event, of how powerful corporations are that use transfer pricing, use tax minimisation schemes, limit privacy that is counter to prevailing legal convention - and are examining their role,” he said.

“Google’s scale means regulators must make governance a priority because the trade-off in Google’s services may not be worth the price.”

The finding by Dutch authorities could thus pose problematic precedent for Google elsewhere in the EU, Cranswick said. “[This case is] about the combined effect, the aggregation, of data into connections from which various uses can or are imputed to be made ... The EU is likely to be the centre of disputes and investigations” into Google’s data handling practices, he said.

A company the size of Google may have little to fear from the kinds of fines national data protection regulators are empowered to impose. But Cranswick said Google will still be taking the investigation seriously.

“Taking Microsoft’s own problems in the 1990s as a guide, any fines are a cost of business and additional laws to stop certain behaviour or actions are accepted or worked through with regulators and lobbyists,” he said. “The bigger concern for Google are laws that stop [data aggregation] because this is essential to the company’s core operation.”

The Dutch case is not at all comparable to a French court’s verdict a few weeks ago that Google must automatically filter out scandalous images of former Formula One boss Max Mosley from search results, he added.

“The Mosley case was tabloid titillation, this is about much more - effectively privatised surveillance. The rights of the users are waived and they have no recourse over their own data, over their own privacy.”

In a statement emailed to various news agencies, Google defended its privacy policy, arguing that the policy “respects European law and allows us to create simpler, more effective services”.

The statement adds that the company has “engaged fully with the Dutch DPA throughout this process and will continue to do so going forward.”

Image courtesy of Mike Licht under CC