Google’s new privacy policy is not that new, as it “went into force” on March 1. It is still big news in data protection terms, though, at least as far as European data protection authorities are concerned. CNIL, commissioned by the Art. 29 Working Party, has now sent a second rather comprehensive questionnaire to Google. Obviously they were not completely sold on Google’s answers to the first set of questions CNIL had sent in March.
When you read the questions, including the statements that come with them as well as the many hints at what CNIL is really thinking, you get a pretty good idea about the (continental, admittedly) European approach to what is expected of big online players in terms of their informing the users on the collection and use of personal, and not so personal, data.
It is obvious that CNIL has made quite an effort to actually analyze the policy in detail and distil the questions that the current version indeed does not answer. I think this, as such, is laudable approach, and it might in the end lead to a certain degree of improvement of the information presented. It is certainly much better than simply ranting about Big Internet as some data protectors feel free to do in Germany (in that case Facebook was the victim). Do click the link! It is worth it. Goes to show that civil servants don’t need to be dull, after all!Still, the whole “companies have to disclose each and every detail of how they deal with user data” idea makes me more and more nervous. I cannot help but feel that it’s less about the average user’s right to be informed, but more about a general hostility towards large and successful online companies (who, by chance, happen to mostly come from outside the EU).
First, I quite simply doubt that it is humanly possible to compile comprehensive information about something as complex as data processing – and to at the same time achieve what, for instance, section 13 of the German Telemedia Act requires: to inform the user “in a way that is understandable for everyone”. No average user will browse through and read the dozens of documents it would take to explain in all detail how things are done. An overflow of detail simply does no good.
Second – not that that matters when data protection purists lead the bill, of course – it would require companies to publish new versions of their privacy policies all the time. The more detailed and technical the privacy policy is, the faster it will be outdated at least in certain specific aspects, because the exact processes are under constant development and change all the time. That would lead to more transparency for the user at all.
And third, constantly requiring more and more specifics, details, process descriptions and – essentially – business methods (because that is what, for instance, the exact way of pseudonymizing, grouping, filtering and so on of user data for targeting purposes is), and the continuing demand to – let’s be honest here –outlaw them, intrude into the very core of what online companies do for a living. And that I find rather difficult to applaud. Evan Brown of internetcases.com recently wrote a really good post on the subject recently.