Google is locked in a battle it can only lose by fighting

Today, Google changed their privacy policy. These are documents we are never likely to read, and are even less likely to make headline news. But they shape how huge corporations build knowledge about us; how they lock us into commercial relationships we may not like; and even pose political and legal threats to us once governments and courts get interested in the data these policies govern.

Google, which may not be an inherently bad company, nevertheless wields enormous power. Much of this power is not about “search” or even “services” like Gmail, but about data. That data is farmed from many users, who contribute to Google’s hunger for information in return for access to the free and useful services they provide. Google’s primary customers are people needing that data, especially advertisers. Many people would say that we, the users, are in fact the product that Google is selling.

Thus their privacy policy is the bargain by which we hand over our data in return for free stuff. It should matter. Just as importantly, the power we have over that bargain, what we can negotiate, is vital to us, because as we know, privacy policies can change.

This is where Google have come unstuck. Making their policy simpler to understand is completely reasonable, and even sharing data across their services is a potentially useful idea. But European regulators, starting with the pan-EU data protection grouping called the Article 29 Working Party, don’t like the idea that users are being forced to share data across Google’s services without any ability to stop it.

They are also concerned that the new ways data may be used are not being described upfront. So, if your location data from your Android phone starts helping Google search understand the places you might want to visit, you may not expect this, and be upset or worse if it happens.

The French regulator CNIL has launched an investigation in order to establish if Google have broken EU Data Protection law, and EU Commissioner Viviane Reding has already weighed in to say she believes they have.

This isn’t a good fight for Google. They are already in a battle over the future rights we have over our data with exactly these people. Reding is proposing new protections, like fining companies up to 2 per cent of their income for data breaches, giving us the right to escape from companies like Facebook by getting our data back, and the right to delete our personal data from such companies. All these ideas may become law in the new data protection regulation that Reding is pushing.

One of the most controversial concepts for Google is the “privacy by default” principle. Such a principle could make it very hard for Google to force everyone to share data in new and unexpected ways. The expectation would be that new data sharing, as envisaged by Google’s new privacy policy, would require our active consent, and without it users could expect their privacy to be untouched.

Google, Yahoo and many other companies will be arguing against this idea, saying it may damage innovation. They argue that “privacy by default” isn’t needed, that notifying users is enough.

Facebook too, have recently introduced Netflix and Spotify services that failed to ask users if they want to share their listening habits with everyone on Facebook. This might not be the worst privacy violation in the world — but it’s certainly pretty annoying to an awful lot of people.

All of these companies are trying to do legitimate business and need the trust of their users. They also need the trust of governments. Right now, they seem to be actively proving that we really need the protections they claim should be dropped. We should listen to their actions, not their words.

Jim Killock is Executive Director of the Open Rights Group
@jimkillock
www.openrightsgroup.org