That change sparked an investigation by the Article 29 Working Party: the group of EU data protection authorities which includes the UK’s Information Commissioner’s Office (ICO).
The investigation led to a ruling that the new policy didn’t clearly spell out for users “how and why their personal data was being collected.”
Most of the controversy surrounded Google’s statements regarding its intention to share more information between Google services like search, Google+ and Gmail.
Venture Beat, for one, has asked the ICO to clarify that question.
Steve Eckersley, head of enforcement at the ICO, said in the ICO’s statement that while Google’s customers hadn’t been particularly damaged or distressed by the policy change, Google’s upcoming changes are still necessary, particularly given the need for users to understand “the implications of their data being combined”:
This undertaking marks a significant step forward following a long investigation and extensive dialogue. Google’s commitment today to make these necessary changes will improve the information UK consumers receive when using their online services and products.
Whilst our investigation concluded that this case hasn’t resulted in substantial damage and distress to consumers, it is still important for organisations to properly understand the impact of their actions and the requirement to comply with data protection law. Ensuring that personal data is processed fairly and transparently is a key requirement of the Act.
This investigation has identified some important learning points not only for Google, but also for all organisations operating online, particularly when they seek to combine and use data across services. It is vital that there is clear and effective information available to enable users to understand the implications of their data being combined. The detailed agreement Google has signed setting out its commitments will ensure that.
Google’s got until 30 June 2015 to make the agreed-upon changes. The ICO said that the company will make further changes over the next two years.
The changes, some of which have already been made, will put Google in line with the UK’s Data Protection Act.
The ICO didn’t actually object to the data Google was collecting, nor how Google intended to use, or cross-pollinate, such data. Thus, the agreement reached between the two won’t change the amount or type of data collected, nor what Google does with it.
Rather, the ICO was dissatisfied with how Google has explained to consumers what was being done with their data. Going forward, Google’s promised to include illustrative examples to help make its policies more understandable.
Are Google’s privacy battles over in Europe?
Not from the looks of it.
In particular, debate is still raging over the right to be forgotten, which requires Google and other search companies to remove links in its search results for private individuals in the European Union who request removal of content that includes their name and that’s deemed “inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes for which they were processed.”