Skip to main content
You are here: Resources > Correspondence > Google privacy policy changes — APPA Correspondence 2012 > Letter to Article 29 Data Protection Working Party — October 2012

Letter to Article 29 Data Protection Working Party — October 2012

Our reference: P12/12

Mr Jacob Kohnstamm
Chairman
Article 29 Data Protection Working Party
C/O Commission Nationale de I’Informatique et des Libertès
8 rue Vivienne
CS 30223
75083 Paris, France

Dear Chairman Kohnstamm

Google’s Privacy Policy

I write on behalf of the following Data Protection and Privacy Authorities (the Authorities) who form part of the Asia Pacific Privacy Authorities Forum (APPA)[1]:

I refer to the PDF letter from the Commission Nationale de I’Informatique et des Libertés (CNIL) on behalf of the Article 29 Data Protection Working Party (Article 29 Working Party) to Google dated 16 October 2012, regarding the Working Party’s investigation into Google’s privacy policy.

The Authorities consider that the Article 29 Working Party has made important recommendations, and support many of the concerns expressed by the Working Party in the letter. Many of the issues addressed by the recommendations are similar to the concerns raised by the APPA Technology Working Group in its consideration of Google’s privacy policy earlier this year[2]. In that regard, the Authorities would also like to reinforce the following specific concerns.

Data retention periods

Google’s privacy policy continues to fail to provide clear timeframes for deletion of user data. In particular, where a user seeks the deletion of their data, it remains unclear when, if ever, Google deletes copies of that user’s data from its backups[3].

The Authorities agree with the Article 29 Working Party that Google should provide more comprehensive information about data retention periods, including clear and specific timeframes for the deletion of user data.

Combination of data across Google services

Support is given to the recommendation of the Article 29 Working Party that Google give users better control over their personal data.

Specifically that Google should:

Biometric information

Support is also given to the Article 29 Working Party recommendation that Google’s privacy policy should provide information about the collection and use of biometric user data, including facial recognition data.

Specifically, the policy should, at a minimum, clearly state that the use of certain services will result in the collection of biometric data, and detail how that data will be stored and used.

Further, support is also given to the Article 29 Working Party’s view that, as a market leader, Google has a responsibility to engage regulators and users on privacy matters. Google sets a high benchmark for service that is emulated by others. It is important that Google aspires to similarly high levels in protecting the privacy of its users.

Finally, the Authorities would like to commend both the Article 29 Working Party and the CNIL on their work on this issue.

Yours sincerely

[signed]

Timothy Pilgrim
Australian Information Commissioner

October 2012


[1] APPA is the principal forum for privacy authorities in the Asia Pacific Region to form partnerships and exchange ideas about privacy regulation, new technologies and the management of privacy enquiries and complaints.

[2] Google privacy policy changes - APPA Correspondence 2012

[3] This issue was discussed in my letter on behalf of the APPA Technology Working Group dated 18 May 2012.