In January, Google announced that it would be replacing the individual privacy policies for its various products and services – including GMail, YouTube and Google+ – with a single all-encompassing policy for each user.
Earlier this year, the Article 29 Data Protection Working Party, a group of European national data protection regulators, launched an investigation into the new policy following compliants from privacy advocates. Today, the Party published the findings of its investigation in an open letter to Google.
"The investigation showed that Google provides insufficient information to its users (including passive users), especially on the purposes and the categories of data being processed. As a result, a Google user is unable to determine which categories of data are processed in the service he uses, and for which purpose these data are processed."
"Finally, Google failed to provide retention periods for the personal data it processes."
The letter calls on Google to "modify its practices when combining data across services"; and "disclose and detail how it processes personal data in each service and differentiate the purposes for each service and each category of data."
The Article 29 working party does not explicitly accuse Google of breaking European law. In March, European commissioner of justice Viviane Reding had alleged that the new policy breaks European data protection rules that insist companies are transparent about how they handle customer data (although she admitted that the European Commission was powerless to prosecute Google).
Last month, Microsoft announced plans to combine the terms and services of all its online products, such as Hotmail and Skydrive, allowing it to reuse ‘content’ collected through any one service across all services. That announcement was met with rather less outcry than Google’s.