Google has faced repeated fines over its refusal to change the policy in countries such as France, Italy and Germany, but the sums involved were chickenfeed for a company of Google’s girth. The U.K.’s ICO hasn’t fined Google in this way, but has repeatedly said that Google’s settlement proposals didn’t go far enough.
Now this long-running drama may be drawing to a close. On Friday the ICO triumphantly brandished an undertaking in which Google said it would do the following things during the next two years:
- Provide users with “information to exercise their rights” and launch a redesigned account settings version to give them more control.
- “Take several measures” to tell passive users – those using third-party services that are plugged into Google services, such as advertising – more about what’s happening with their data. Those running the third-party services will also need to “obtain the necessary consents” for this data collection.
- “Enhance its guidance for employees regarding notice and consent requirements.”
The changes will make sure Google is compliant with the U.K. Data Protection Act, which is based on European law. It is not yet clear whether this is the end of the matter as far as the other EU data protection authorities are concerned — I understand that the changes will apply in all countries around the world, though.
Here’s what ICO enforcement head Steve Eckersley said in a statement:
Google’s commitment today to make these necessary changes will improve the information UK consumers receive when using their online services and products.
Whilst our investigation concluded that this case hasn’t resulted in substantial damage and distress to consumers, it is still important for organisations to properly understand the impact of their actions and the requirement to comply with data protection law… This investigation has identified some important learning points not only for Google, but also for all organisations operating online, particularly when they seek to combine and use data across services.
Although the list of commitments is fairly comprehensive, some terms are vague and the proof may lie in the implementation. For example, the EU privacy watchdogs previously demanded that users get the opportunity to “choose when their data are combined, for instance with dedicated buttons in the services.” That’s not merely a matter of giving users “information to exercise their rights”, so it will be interesting to see what the redesigned account settings entail.
So far, Google has merely said:
Still, one at a time, eh?
This article was updated at 8.15am PT to note that the changes will apply globally.