Due to the questions raised when the giant announced the changes on 24 January, the Article 29 Working Party ordered the French data protection authority CNIL to lead an investigation into Google's new line.
The company didn't provide satisfactory answer to key issues, such as the description of its personal data processing operations, asked in two questionnaires. Therefore, and after analysing some documents, experts from CNIL have led EU Data protection authorities to draw their conclusions and make recommendations.
They ask Google to provide clearer and more comprehensive information about the collected data and purposes of each of its personal data processing operations. They recommend, for instance, to present a three-level detail to no degrade users' experience.
“The investigation confirmed our concerns about the combination of data across services”, says the letter. Because the American company doesn't provide user control over this issue, it should modify its practices by reinforcing citizens' consent and their opportunity to chose; improving the right to object (opt-out); and adapting combination tools to specific purposes (e.g. by differentiating the tools used for security and those used for advertising).
ICOMP, which supports principles that are essential to a healthy online environment, believes the investigation has shone a light on Google’s business model which depends on amassing as much data on individuals as possible in order to support its advertising business.
"The only reason that users have not moved away from Google over their faulty privacy practices is that they are so dominant”, said ICOMP Director Auke Haagsma, adding that “if online markets were genuinely competitive people would have alternatives and could choose companies that better protected their privacy."
"We recognize Google’s key role in the online world. Our recommendations do not seek to limit the company’s ability to innovate and improve its products, but rather to strengthen users’ trust and control, and to ensure compliance with data protection legislations and principles”, ends the letter.