Privacy guardians' letter to Google
Privacy guardians warn multinationals to respect laws
Ten data protection authorities from around the world say Google Inc. and other international corporations are overlooking privacy values and legislation when they launch new online products.
WASHINGTON, D.C., April 20, 2010 – Privacy Commissioner of Canada Jennifer Stoddart and several international counterparts have issued a joint letter directing Google Inc. and other international corporations to respect the privacy rights of people around the globe.
“While we hear corporations such as Google pay lip service to privacy, we don’t always see this reflected in the launch of new products,” says Commissioner Stoddart.
“As part of an unprecedented collaboration, data protection authorities representing over 375 million people in 10 countries are speaking with a common voice to remind these organizations that they must comply with the privacy laws of each country where they roll out online products and services.”
Commissioner Stoddart was among the signatories to a joint letter to Google Chief Executive Officer Eric Schmidt expressing deep concern about his company’s privacy practices, particularly in relation to the recent launch of its social network, Google Buzz.
The letter, signed by the heads of data protection authorities in Canada, France, Germany, Ireland, Israel, Italy, the Netherlands, New Zealand, Spain and the United Kingdom, stated:
(W)e are increasingly concerned that, too often, the privacy rights of the world’s citizens are being forgotten as Google rolls out new technological applications. We were disturbed by your recent rollout of the Google Buzz social networking application, which betrayed a disappointing disregard for fundamental privacy norms and laws. Moreover, this was not the first time you have failed to take adequate account of privacy considerations when launching new services.
The data protection authorities go on to note that the privacy problems associated with the initial global rollout of Google Buzz in February should have been “readily apparent” to the company.
Google Mail, or Gmail, had been a private, one-to-one web-based e-mail service, but was abruptly melded with a new social networking service. Google automatically assigned users a network of “followers” from among people with whom they corresponded most often on Gmail, without adequately informing those users about how this new service would work or providing sufficient information to permit informed consent.
These actions violated the fundamental, globally accepted privacy principle that people should be able to control the use of their personal information.
Gmail users – understandably concerned that their personal information was being disclosed – were highly critical of the new service. In response, Google apologized and quickly introduced changes to address the widespread criticism.
Previously, Google has raised significant privacy concerns in many countries with the launch of its Street View service, which displayed images of street scenes on the Internet.
In the letter, the data protection authorities recognized that Google is not the only online company that has introduced services with inadequate protections for privacy. However, they urged Google to set an example “as a leader in the online world.”
“We therefore call on you, like all organizations entrusted with people’s personal information, to incorporate fundamental privacy principles directly into the design of new online services.”
The letter makes specific recommendations for enhancing privacy protections and asks Google to explain how it will comply with national privacy laws in the future.
The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy and the protection of personal information rights of Canadians.
The letter is available on our website, http://www.priv.gc.ca/media/nr-c/2010/let_100420_e.cfm
--
Letter to Google Inc. Chief Executive Officer
The Privacy Commissioner of Canada, Jennifer Stoddart, and the heads of the data protection authorities in France, Germany, Israel, Italy, Ireland, Netherlands, New Zealand, Spain and the United Kingdom sent the following letter to the chief executive officer of Google Inc. to express their concerns about privacy issues related to Google Buzz.
April 19, 2010
Mr. Eric
Schmidt
Chairman of the Board and
Chief Executive
Officer
Google Inc.
Mountain View, CA
USA
94043
Dear Mr. Schmidt:
Google is an innovative company that has changed how people around the world use the Internet. We recognize your company’s many accomplishments and its dramatic impact on our information economy. As data protection regulators mandated to protect privacy rights, we also applaud your participation in discussions in many jurisdictions about new approaches to data protection.
However, we are increasingly concerned that, too often, the privacy rights of the world’s citizens are being forgotten as Google rolls out new technological applications. We were disturbed by your recent rollout of the Google Buzz social networking application, which betrayed a disappointing disregard for fundamental privacy norms and laws. Moreover, this was not the first time you have failed to take adequate account of privacy considerations when launching new services.
The privacy problems associated with your initial global rollout of Google Buzz on February 9, 2010 were serious and ought to have been readily apparent to you.
In essence, you took Google Mail (Gmail), a private, one-to-one web-based e-mail service, and converted it into a social networking service, raising concern among users that their personal information was being disclosed. Google automatically assigned users a network of “followers” from among people with whom they corresponded most often on Gmail, without adequately informing Gmail users about how this new service would work or providing sufficient information to permit informed consent decisions. This violated the fundamental principle that individuals should be able to control the use of their personal information.
Users instantly recognized the threat to their privacy and the security of their personal information, and were understandably outraged. To your credit, Google apologized and moved quickly to stem the damage.
While your company addressed the most privacy-intrusive aspects of Google Buzz in the wake of this public protest and most recently (April 5, 2010) you asked all users to reconfirm their privacy settings, we remain extremely concerned about how a product with such significant privacy issues was launched in the first place. We would have expected a company of your stature to set a better example. Launching a product in “beta” form is not a substitute for ensuring that new services comply with fair information principles before they are introduced.
It is unacceptable to roll out a product that unilaterally renders personal information public, with the intention of repairing problems later as they arise. Privacy cannot be sidelined in the rush to introduce new technologies to online audiences around the world.
Unfortunately, Google Buzz is not an isolated case. Google Street View was launched in some countries without due consideration of privacy and data protection laws and cultural norms. In that instance, you addressed privacy concerns related to such matters as the retention of unblurred facial images only after the fact, and there is continued concern about the adequacy of the information you provide before the images are captured.
We recognize that Google is not the only online company with a history of introducing services without due regard for the privacy of its users. As a leader in the online world, we hope that your company will set an example for others to follow.
We therefore call on you, like all organisations entrusted with people’s personal information, to incorporate fundamental privacy principles directly into the design of new online services. That means, at a minimum:
• collecting and processing only the minimum amount of personal information necessary to achieve the identified purpose of the product or service;
• providing clear and unambiguous information about how personal information will be used to allow users to provide informed consent;
• creating privacy-protective default settings;
• ensuring that privacy control settings are prominent and easy to use;
• ensuring that all personal data is adequately protected, and
• giving people simple procedures for deleting their accounts and honouring their requests in a timely way.
In addition to respecting these broad principles, we also expect all organisations to comply with relevant data protection and privacy laws. These laws apply online, just as they do in the physical world. As well, we encourage organisations to engage with data protection authorities when developing services with significant implications for privacy.
As your users made clear to you in the hours and days after the launch of Google Buzz, privacy is a fundamental right that people value deeply. As regulators responsible for promoting and overseeing compliance with data protection and privacy laws, we hope that you will learn from this experience as you design and develop new products and services.
We would like to receive a response indicating how Google will ensure that privacy and data protection requirements are met before the launch of future products.
Sincerely,
Original
signed by
Jennifer Stoddart
Privacy
Commissioner of Canada
Original signed
by
Alex Türk
Chairman, Commission Nationale
de l'Informatique et des Libertés
(France)
Original signed by
Peter
Schaar
Commissioner, Bundesbeauftragte für den
Datenschutz und die Informationsfreiheit
(Germany)
Original signed by
Billy
Hawkes
Data Protection Commissioner of
Ireland
Original signed by
Yoram
Hacohen
Head of the Israeli Law, Information and
Technology Authority
Original signed
by
Francesco Pizzetti
Garante per la
protezione dei dati personali (Italy)
Original
signed by
Jacob Kohnstamm
Chairman, College
Bescherming Persoonsgegevens (Netherlands)
Chairman,
Article 29 Working Party
Original signed
by
Marie Shroff
Privacy Commissioner, New
Zealand
Original signed by
Artemi
Rallo Lombarte
Director, Agencia Española de Protección
de Datos (Spain)
Original signed
by
Christopher Graham
Information
Commissioner and Chief Executive (United
Kingdom)
ENDS