- May 11, 2013
- 1,687
Google violates Dutch Data Protection Act by combining user data
The Dutch data protection authority has found that Google’s combining of user data is in violation of the Dutch Data Protection Act. The investigation gives you an insight into the requirements for the combination of (sensitive) user data.
Google introduced its privacy policy on 1 March 2012, which states that Google can combine the personal data of data subjects collected across all of Google’s services. Before Google’s privacy policy was in effect, the French data protection authority had already initiated an investigation on behalf of all European data protection authorities (united in the Article 29 Working Party). The outcome of that initial investigation triggered six national data protection authorities, including the Dutch data protection authority (College bescherming persoonsgegevens; CBP), to start investigations based on their own national laws. On 28 November 2013, the CBP published the outcome of its investigation in its report of definitive findings.
Conclusion The CBP found that:
The CBP concluded that Google does not fulfill its obligation to provide clear and sufficient information to data subjects (i) about its identity, and (ii) the purposes for which data subjects’ personal data are processed. The CBP states three reasons for reaching that conclusion:
Google’s privacy policy states four purposes for which Google combines user data:
No legal ground
In order for combining user data to be legitimate, Google requires a legal ground under the DDPA. During the investigation, Google stated that it has legal grounds for combining user data based on:
Unambiguous consent
As Google often collects personal data with the aid of tracking cookies, the CBP concluded that Google is required to obtain data subjects’ prior informed consent. The CBP found, however, that Google does not offer data subjects any (prior) options to consent or reject their data being combined. In that light, Google stated that data subjects gave their unambiguous consent for their user data being combined by accepting Google’s general terms of service and privacy policy. The CBP, in contrast, concluded that unambiguous consent cannot be obtained through general terms of service because data subjects have to be informed and consent has to be specific.
Performance of a contract
Google argued that combining user data was necessary for the performance of a contract between Google and data subjects, since Google’s terms of service create a contractual relationship with all users of Google’s services. The CBP disagreed with Google and concluded that this legal ground is not applicable because:
Legitimate interest
The CBP concluded that Google had not convincingly shown that its combining user data outweighs the data subject’s right to the protection of its privacy, based on:
* Personal note:
In the wake of the CBP and its many investigations, Google, Microsoft and other giants will face serious fines if they do not change their data collection policies.
Within the EU laws are being put into place that will force companies to stop collecting any data if the end user opts out.
They want to force software developers to provide a binding total opt out option.
Which means if the user installs a program it can opt out from ANY data gathering and the software company has no right and no authority to gather anything without explicit approval.
ISP companies within the Netherlands are working with CBP and EU counterparts to block and implement new privacy laws.
Within the Netherlands CBP is planning to block Google and Microsoft data collection protocols.
However Dutch laws have not yet been approved to make this possible.
According to CBP: Data collection will happen and we do not intend to stop it.
But silent data gathering needs to stop.
If someone wants to know your phone number, email address or other private data they should ask you, they should tell you what its being used for and they should give you the option to allow or reject it.
On top of that users should be allowed to demand a record which states how long your data has been stored, where it has been stored and who did access it and what purpose.
The Dutch data protection authority has found that Google’s combining of user data is in violation of the Dutch Data Protection Act. The investigation gives you an insight into the requirements for the combination of (sensitive) user data.
Google introduced its privacy policy on 1 March 2012, which states that Google can combine the personal data of data subjects collected across all of Google’s services. Before Google’s privacy policy was in effect, the French data protection authority had already initiated an investigation on behalf of all European data protection authorities (united in the Article 29 Working Party). The outcome of that initial investigation triggered six national data protection authorities, including the Dutch data protection authority (College bescherming persoonsgegevens; CBP), to start investigations based on their own national laws. On 28 November 2013, the CBP published the outcome of its investigation in its report of definitive findings.
Conclusion The CBP found that:
- Google does not fulfill its obligation under the Dutch Data Protection Act (Wet bescherming persoonsgegevens; DDPA) to provide clear and sufficient information
- Google’s purposes for combining user data are not specific and legitimate
- Google has no legal ground for combining user data.
The CBP concluded that Google does not fulfill its obligation to provide clear and sufficient information to data subjects (i) about its identity, and (ii) the purposes for which data subjects’ personal data are processed. The CBP states three reasons for reaching that conclusion:
- Google does not provide sufficient information about its identity as a data controller on the YouTube website
- where Google does provide information to data subjects, the information is fragmented and irregular
- Google does not provide sufficiently specific information about the types of personal data that are processed and the purposes for which Google combines these data.
Google’s privacy policy states four purposes for which Google combines user data:
- personalization of services requested
- product development
- display of personalized ads
- website analytics
No legal ground
In order for combining user data to be legitimate, Google requires a legal ground under the DDPA. During the investigation, Google stated that it has legal grounds for combining user data based on:
- the unambiguous consent of data subjects (section 8 (a) DDPA)
- the necessity for the performance of a contract between Google and data subjects (section 8 (b) DDPA)
- Google’s legitimate interest (section 8 (f) DDPA).
Unambiguous consent
As Google often collects personal data with the aid of tracking cookies, the CBP concluded that Google is required to obtain data subjects’ prior informed consent. The CBP found, however, that Google does not offer data subjects any (prior) options to consent or reject their data being combined. In that light, Google stated that data subjects gave their unambiguous consent for their user data being combined by accepting Google’s general terms of service and privacy policy. The CBP, in contrast, concluded that unambiguous consent cannot be obtained through general terms of service because data subjects have to be informed and consent has to be specific.
Performance of a contract
Google argued that combining user data was necessary for the performance of a contract between Google and data subjects, since Google’s terms of service create a contractual relationship with all users of Google’s services. The CBP disagreed with Google and concluded that this legal ground is not applicable because:
- Google requires unambiguous consent due to the use of tracking cookies
- there is no justification for combining user data in Google’s relationship with specific individual data subjects (or any agreement entered into with them).
Legitimate interest
The CBP concluded that Google had not convincingly shown that its combining user data outweighs the data subject’s right to the protection of its privacy, based on:
- the sometimes sensitive nature of the processed personal data;
- the diversity of Google’s services;
- the lack of adequate and specific information
- the lack of effective opt-outs.
* Personal note:
In the wake of the CBP and its many investigations, Google, Microsoft and other giants will face serious fines if they do not change their data collection policies.
Within the EU laws are being put into place that will force companies to stop collecting any data if the end user opts out.
They want to force software developers to provide a binding total opt out option.
Which means if the user installs a program it can opt out from ANY data gathering and the software company has no right and no authority to gather anything without explicit approval.
ISP companies within the Netherlands are working with CBP and EU counterparts to block and implement new privacy laws.
Within the Netherlands CBP is planning to block Google and Microsoft data collection protocols.
However Dutch laws have not yet been approved to make this possible.
According to CBP: Data collection will happen and we do not intend to stop it.
But silent data gathering needs to stop.
If someone wants to know your phone number, email address or other private data they should ask you, they should tell you what its being used for and they should give you the option to allow or reject it.
On top of that users should be allowed to demand a record which states how long your data has been stored, where it has been stored and who did access it and what purpose.