Letter to Article 29 Data Protection Working Party — October 2012

Our reference: P12/12

Mr Jacob Kohnstamm
Chairman
Article 29 Data Protection Working Party
C/O Commission Nationale de I’Informatique et des Libertès
8 rue Vivienne
CS 30223
75083 Paris, France

Dear Chairman Kohnstamm

Google’s Privacy Policy

I write on behalf of the following Data Protection and Privacy Authorities (the Authorities) who form part of the Asia Pacific Privacy Authorities Forum (APPA)[1]:

• Office of the Australian Information Commissioner, Australia
• Office of the Privacy Commissioner for Personal Data, Hong Kong, SAR
• Office for Personal Data Protection, Macao, SAR
• Federal Institute for Access to Information and Data Protection, Mexico
• Office of the Information and Privacy Commissioner for British Columbia, Canada
• Office of the Information Commissioner, Queensland, Australia
• Office of the Victorian Privacy Commissioner, Victoria, Australia
• Office of the Information Commissioner, Northern Territory, Australia, and
• Office of the Privacy Commissioner, New South Wales, Australia.

I refer to the letter from the Commission Nationale de I’Informatique et des Libertés (CNIL) on behalf of the Article 29 Data Protection Working Party (Article 29 Working Party) to Google dated 16 October 2012, regarding the Working Party’s investigation into Google’s privacy policy.

The Authorities consider that the Article 29 Working Party has made important recommendations, and support many of the concerns expressed by the Working Party in the letter. Many of the issues addressed by the recommendations are similar to the concerns raised by the APPA Technology Working Group in its consideration of Google’s privacy policy earlier this year[2]. In that regard, the Authorities would also like to reinforce the following specific concerns.

Data retention periods

Google’s privacy policy continues to fail to provide clear timeframes for deletion of user data. In particular, where a user seeks the deletion of their data, it remains unclear when, if ever, Google deletes copies of that user’s data from its backups[3].

The Authorities agree with the Article 29 Working Party that Google should provide more comprehensive information about data retention periods, including clear and specific timeframes for the deletion of user data.

Combination of data across Google services

Support is given to the recommendation of the Article 29 Working Party that Google give users better control over their personal data.

Specifically that Google should:

• provide active and passive users with simple and centralised opt-out mechanisms, and
• allow authenticated users to control which services they are logged in to at any one time and, as a result, what parts of their user data will be combined.

Biometric information

Support is also given to the Article 29 Working Party recommendation that Google’s privacy policy should provide information about the collection and use of biometric user data, including facial recognition data.

Specifically, the policy should, at a minimum, clearly state that the use of certain services will result in the collection of biometric data, and detail how that data will be stored and used.

Further, support is also given to the Article 29 Working Party’s view that, as a market leader, Google has a responsibility to engage regulators and users on privacy matters. Google sets a high benchmark for service that is emulated by others. It is important that Google aspires to similarly high levels in protecting the privacy of its users.

Finally, the Authorities would like to commend both the Article 29 Working Party and the CNIL on their work on this issue.

Yours sincerely

[signed]

Timothy Pilgrim
Australian Information Commissioner

October 2012

---