Privacy guardians warn multinationals to respect laws
Ten data protection authorities from around the world say Google Inc. and other international corporations are
overlooking privacy values and legislation when they launch new online products.
WASHINGTON, D.C., April 20, 2010 – Privacy Commissioner of Canada Jennifer Stoddart and several international counterparts have issued a joint letter
directing Google Inc. and other international corporations to respect the privacy rights of people around the globe.
“While we hear corporations such as Google pay lip service to privacy, we don’t always see this reflected in the launch
of new products,” says Commissioner Stoddart.
“As part of an unprecedented collaboration, data protection authorities representing over 375 million people in 10
countries are speaking with a common voice to remind these organizations that they must comply with the privacy laws of
each country where they roll out online products and services.”
Commissioner Stoddart was among the signatories to a joint letter to Google Chief Executive Officer Eric Schmidt expressing deep concern about his company’s privacy practices, particularly in relation to the recent launch of its
social network, Google Buzz.
The letter, signed by the heads of data protection authorities in Canada, France, Germany, Ireland, Israel, Italy, the
Netherlands, New Zealand, Spain and the United Kingdom, stated:
(W)e are increasingly concerned that, too often, the privacy rights of the world’s citizens are being forgotten as
Google rolls out new technological applications. We were disturbed by your recent rollout of the Google Buzz social
networking application, which betrayed a disappointing disregard for fundamental privacy norms and laws. Moreover, this
was not the first time you have failed to take adequate account of privacy considerations when launching new services.
The data protection authorities go on to note that the privacy problems associated with the initial global rollout of
Google Buzz in February should have been “readily apparent” to the company.
Google Mail, or Gmail, had been a private, one-to-one web-based e-mail service, but was abruptly melded with a new
social networking service. Google automatically assigned users a network of “followers” from among people with whom they
corresponded most often on Gmail, without adequately informing those users about how this new service would work or
providing sufficient information to permit informed consent.
These actions violated the fundamental, globally accepted privacy principle that people should be able to control the
use of their personal information.
Gmail users – understandably concerned that their personal information was being disclosed – were highly critical of the
new service. In response, Google apologized and quickly introduced changes to address the widespread criticism.
Previously, Google has raised significant privacy concerns in many countries with the launch of its Street View service,
which displayed images of street scenes on the Internet.
In the letter, the data protection authorities recognized that Google is not the only online company that has introduced
services with inadequate protections for privacy. However, they urged Google to set an example “as a leader in the
online world.”
“We therefore call on you, like all organizations entrusted with people’s personal information, to incorporate
fundamental privacy principles directly into the design of new online services.”
The letter makes specific recommendations for enhancing privacy protections and asks Google to explain how it will
comply with national privacy laws in the future.
The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy
and the protection of personal information rights of Canadians.
The letter is available on our website, http://www.priv.gc.ca/media/nr-c/2010/let_100420_e.cfm
--
Letter to Google Inc. Chief Executive Officer
The Privacy Commissioner of Canada, Jennifer Stoddart, and the heads of the data protection authorities in France,
Germany, Israel, Italy, Ireland, Netherlands, New Zealand, Spain and the United Kingdom sent the following letter to the
chief executive officer of Google Inc. to express their concerns about privacy issues related to Google Buzz.
April 19, 2010
Mr. Eric Schmidt
Chairman of the Board and
Chief Executive Officer
Google Inc.
Mountain View, CA
USA 94043
Dear Mr. Schmidt:
Google is an innovative company that has changed how people around the world use the Internet. We recognize your
company’s many accomplishments and its dramatic impact on our information economy. As data protection regulators
mandated to protect privacy rights, we also applaud your participation in discussions in many jurisdictions about new
approaches to data protection.
However, we are increasingly concerned that, too often, the privacy rights of the world’s citizens are being forgotten
as Google rolls out new technological applications. We were disturbed by your recent rollout of the Google Buzz social
networking application, which betrayed a disappointing disregard for fundamental privacy norms and laws. Moreover, this
was not the first time you have failed to take adequate account of privacy considerations when launching new services.
The privacy problems associated with your initial global rollout of Google Buzz on February 9, 2010 were serious and
ought to have been readily apparent to you.
In essence, you took Google Mail (Gmail), a private, one-to-one web-based e-mail service, and converted it into a social
networking service, raising concern among users that their personal information was being disclosed. Google
automatically assigned users a network of “followers” from among people with whom they corresponded most often on Gmail,
without adequately informing Gmail users about how this new service would work or providing sufficient information to
permit informed consent decisions. This violated the fundamental principle that individuals should be able to control
the use of their personal information.
Users instantly recognized the threat to their privacy and the security of their personal information, and were
understandably outraged. To your credit, Google apologized and moved quickly to stem the damage.
While your company addressed the most privacy-intrusive aspects of Google Buzz in the wake of this public protest and
most recently (April 5, 2010) you asked all users to reconfirm their privacy settings, we remain extremely concerned
about how a product with such significant privacy issues was launched in the first place. We would have expected a
company of your stature to set a better example. Launching a product in “beta” form is not a substitute for ensuring
that new services comply with fair information principles before they are introduced.
It is unacceptable to roll out a product that unilaterally renders personal information public, with the intention of
repairing problems later as they arise. Privacy cannot be sidelined in the rush to introduce new technologies to online
audiences around the world.
Unfortunately, Google Buzz is not an isolated case. Google Street View was launched in some countries without due
consideration of privacy and data protection laws and cultural norms. In that instance, you addressed privacy concerns
related to such matters as the retention of unblurred facial images only after the fact, and there is continued concern
about the adequacy of the information you provide before the images are captured.
We recognize that Google is not the only online company with a history of introducing services without due regard for
the privacy of its users. As a leader in the online world, we hope that your company will set an example for others to
follow.
We therefore call on you, like all organisations entrusted with people’s personal information, to incorporate
fundamental privacy principles directly into the design of new online services. That means, at a minimum:
• collecting and processing only the minimum amount of personal information necessary to achieve the identified
purpose of the product or service;
• providing clear and unambiguous information about how personal information will be used to allow users to
provide informed consent;
• creating privacy-protective default settings;
• ensuring that privacy control settings are prominent and easy to use;
• ensuring that all personal data is adequately protected, and
• giving people simple procedures for deleting their accounts and honouring their requests in a timely way.
In addition to respecting these broad principles, we also expect all organisations to comply with relevant data
protection and privacy laws. These laws apply online, just as they do in the physical world. As well, we encourage
organisations to engage with data protection authorities when developing services with significant implications for
privacy.
As your users made clear to you in the hours and days after the launch of Google Buzz, privacy is a fundamental right
that people value deeply. As regulators responsible for promoting and overseeing compliance with data protection and
privacy laws, we hope that you will learn from this experience as you design and develop new products and services.
We would like to receive a response indicating how Google will ensure that privacy and data protection requirements are
met before the launch of future products.
Sincerely,
Original signed by
Jennifer Stoddart
Privacy Commissioner of Canada
Original signed by
Alex Türk
Chairman, Commission Nationale de l'Informatique et des Libertés (France)
Original signed by
Peter Schaar
Commissioner, Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (Germany)
Original signed by
Billy Hawkes
Data Protection Commissioner of Ireland
Original signed by
Yoram Hacohen
Head of the Israeli Law, Information and Technology Authority
Original signed by
Francesco Pizzetti
Garante per la protezione dei dati personali (Italy)
Original signed by
Jacob Kohnstamm
Chairman, College Bescherming Persoonsgegevens (Netherlands)
Chairman, Article 29 Working Party
Original signed by
Marie Shroff
Privacy Commissioner, New Zealand
Original signed by
Artemi Rallo Lombarte
Director, Agencia Española de Protección de Datos (Spain)
Original signed by
Christopher Graham
Information Commissioner and Chief Executive (United Kingdom)
ENDS