Internet

Europe to Google: Here's how we want you to protect user privacy

Google receives guidelines from European regulators explaining how it can avoid running afoul of privacy laws, reports Reuters.

largeNewGoogleLogoFinalFlat-a.png

Europe is now trying to tell Google how best to handle the privacy of its users.

For years, the search giant has been tussling with European privacy regulators over how it collects and stores the data of its users. In 2012, Google got into trouble after it said it planned to revamp its privacy policies to "combine personal information" across its multiple products and services. The company justified the change by saying it would consolidate its 60 different privacy policies into one single policy that would be simpler.

European regulators didn't see it that way and wanted Google to change its new policy. In 2013, France's privacy watchdog, the Commission Nationale de l'Informatique et des Libertes (CNIL), said that six different countries -- France, Germany, Italy, the Netherlands, Spain and the UK -- would launch investigations into Google over its non-compliance with European privacy regulations.

This week, European regulators took the next step by sending Google a list of guidelines telling it exactly how to comply with local laws, Reuters reported. Issued this past Tuesday by European data protection authorities, known as the Article 29 Working Party, the 6-page guideline document spells out a series of requirements that Google could and should follow to stay out of further trouble.

In one series of recommendations, Google's privacy policy must be visible to users from each landing page, must be clear and unambiguous, and must list all of the purposes for which personal data are processed by the company. Further, Google should inform users if and when it allows third-party partners to collect personal data.

European regulators also suggest that Google make it easy for users to manage their personal data with a new dashboard that would include all of the company's services. Users would then be able to control the privacy settings for each service, though "privacy-friendly" default settings could also be in place.

Consent to allow your personal data to be used would also have to be clearly laid out as per the following recommendation:

Specific and information based consent. To be valid, consent must be specific and based on appropriate information. All users of Google services are to be informed in a clear and distinct manner, for instance by means of a pop-up or banner. This banner or area should contain a simplified information notice mentioning the purpose plus a link to Google's privacy policy, as well as an additional link to another area or section where users' choices can be fine-tuned (to refuse consent to specific purpose, or to select the scope of purpose allowed for by the user with regard to the individual features offered by Google).

Finally, Google should clearly explain its data retention policy for all data gathered about its users.

"Retention policies should be sent to European DPAs (data protection authorities); the retention period for each type of data should be justified and should be specific to each purpose and legal basis," the guidelines stated.

The ball is now in Google's court to respond to these guidelines and try to continue further discussions with European regulators. In its letter to Google, the Article 29 Working Party said it "remains open to discuss any other measures that Google would propose to address the legal requirements."

Responding to a request for comment from CNET, a spokesperson for Google sent the following statement:

We've worked with the different data protection authorities across Europe to explain our privacy policy changes. We're always open to their feedback and look forward to further discussing their suggestions in detail.