Google and the legal requirement for opt-in consent.

Yesterday’s announcement from the CPB, the Dutch DPA, that they were giving Google till the end of February to comply with the Data Protection Act is another sign that European laws on online privacy are now being enforced.

European online privacy and data protection law has a long history, developed over 60 years. Originally based on the right to privacy in Article 12 of the Universal Declaration of Human Rights of 1948 and Article 8 of the 1953 European Convention on Human Rights, then updated through Article 8 of the Charter of Fundamental Rights of the European Union (made legally binding in the EU by the 2009 Lisbon Treaty) and the Protection Directive 95/46/EC (DPD). This was continued by the 2002 ePrivacy Directive 2002/58/EC which was amended in 2009 (EPD).

The action follows the CPB’s earlier statement of November 2013 that Google’s procedures for handling personal data were in breach of the Dutch Data Protection Act. This was in turn based on an investigation by all the European DPAs, united within the Article 29 Working Party lead by the CNIL (the French DPA), that led their conclusion laid out to a letter with recommendations to Google in October 2012

The DPAs found that Google’s activities did not comply with many aspects of the DPD and the EPD. These included the requirements for purpose limitation, data minimisation, access and transparency laid out in Articles 6, 10 and 11 of the DPD as well as the requirement for a subject’s unambiguous consent in Article 7(b), and also the opt-in requirement in Article 5(3) of the EPD.

These conclusions were similar to those made in the YD case we reported in June  but more significant considering the size of Google and the scale of its processing of personal data. This is also reflected in the potential fine of €15 million if Google refuses to act.

As we described Google collects data about people’s web history on a massive scale. Almost every web site you visit includes active elements such as Google’s analytics, captcha, search, and translate functions, or uses script libraries hosted on Google’s servers. Many sites also use Google’s DoubleClick advertisement exchange, or link to YouTube videos or Google+ social networking pages. All these elements can cause cookies to be sent to Google’s US based servers which uniquely identify individuals, allowing their web history to be collected and used to direct targeted advertisements, which of course is Google main business.

This is why Google’s PREF and NID cookies are used by spy agencies to identify threads of communication gathered from mass surveillance, as revealed by the Snowden revelations. Multi-year device specific persistent cookies are much more useful for this than variable and non-unique IP addresses and Google’s universal presence on almost all popular websites, together with the relative rarity of encrypted HTTPS channels, makes them the “target detection identifier” of choice.

The CPB action shows that all companies that collect or use personal data, either based in Europe or when the data they use is about Europeans, can only do this in the context of Data Protection law. Data used to track people by associating them with unique identifiers encoded in cookies or collected using techniques such as browser fingerprinting must be processed under a lawful basis, which in most cases means unambiguous prior consent. Playing lip service with ineffective “Allow” jQuery banners while continuing to foist first-party or third-party tracking identifiers or linking to unreadable and arcane “cookie” policies can no longer be said to meet legal requirements. It is now clear that even a huge US internet company like Google risks regulatory action if it continues to allow people to be tracked without a clear legal basis, which for most situations means clear and informed prior consent.