Privacy & Information Security Law Blog

On April 19, 2010, the Privacy Commissioner of Canada, Jennifer Stoddart, and the heads of nine other international data protection authorities took part in an unprecedented collaboration by issuing a strongly worded letter of reproach to Google’s Chief Executive Officer, Eric Schmidt.  The joint letter, which was also signed by data protection officials from France, Germany, Ireland, Israel, Italy, the Netherlands, New Zealand, Spain and the United Kingdom, highlighted growing international concern that “the privacy rights of the world’s citizens are being forgotten as Google rolls out new technological applications.”

The letter was highly critical of Google’s implementation of its social networking site, Google Buzz, in February of this year.  When it was launched, the social networking application operated by selecting popular email contacts from Gmail, Google’s private, web-based email system, and allowing them to be made public over Google Buzz by default.  Critics argued that Google had exposed personal information to the public without seeking users’ permission.  Google responded to the outcry by revising Buzz to allow users to regulate access to their contact lists.

The regulators further questioned whether Google adequately examines privacy issues prior to launching products.  The letter stated that “it is unacceptable to roll out a product that unilaterally renders personal information public, with the intention of repairing problems later as they arise.  Privacy cannot be sidelined in the rush to introduce new technologies to online audiences around the world.”

The letter calls on Google to set an example for others to follow, requesting that Google incorporate fundamental privacy principles directly into the design of new online services.  This would include policies such as:

• collecting and processing only the minimum amount of personal information necessary to achieve the identified purpose of the product or service;
• providing clear and unambiguous information about how personal information will be used to allow users to provide informed consent;
• creating privacy-protective default settings;
• ensuring that privacy control settings are prominent and easy to use;
• ensuring that all personal data is adequately protected, and
• giving people simple procedures for deleting their accounts and honoring their requests in a timely way.

In closing, the authorities stated that they would like a response from Google, “indicating how Google will ensure that privacy and data protection requirements are met before the launch of future products.”

In addition to publishing the letter, the signatories held a press conference on April 20, 2010, to discuss the issue further.  Below are some highlights from the press conference.

• The data protection authorities noted that Buzz was not an isolated case, and that Google is not the only company to have engaged in this kind of practice.  They said they are looking to Google to be a leader going forward by incorporating the above-listed principles from the beginning rather than waiting to respond to complaints.
• They recommended that “privacy by design” processes be incorporated throughout the life cycle of a product or service, from the design and development stages through marketing and sales.
• They emphasized the fact that, while the Internet is global, privacy enforcement is local, and signaled that they plan to act jointly in the future to further fundamental international privacy values.

The full text of the letter can be found on the Canadian Privacy Commissioner’s website.