I’m not going to go through the new policies in detail – lots of people have already done that, and in Google’s case in particular close legal investigation by the French data protection authority CNIL is underway. No, what interests me is something different. Is the biggest change in both Google and Facebook’s case actually something that we should be greeting with a little more positivity? Is it just that now they’re both telling a bit more of the truth? Showing a bit more of that transparency that we privacy advocates are always talking about?
Taking Google first, the key change in their policy, it seems to me, is that they’re admitting to data aggregation. That is, they’re openly acknowledging – indeed in some ways trumpeting – the fact that they’re now bringing together the data they gather from all the various different google services, and using it together. Google has a vast array of different services, from search to gmail, their various ‘location’ services (Google Earth, Google Streetview, Google Maps etc), YouTube, picassa, and of course Google +, so from their own perspective this makes perfect sense. Many of us in the privacy field have suspected (or even assumed) that they’ve always been doing this, or something like it – and their previous privacy policies have been vague enough or ambiguous enough that they could be read to make this sort of thing possible. Now, it seems to me, they’re being more open about it – more honest, more transparent.
That, of course, doesn’t make it any more ‘legal’ or ‘acceptable’ as a policy. Indeed, I wouldn’t be at all surprised if the CNIL investigation concludes that the new policy breaches EU data protection law – but, in reality, I wouldn’t have been at all surprised if the old policies, if investigated properly, had been in breach of EU data protection law. Even more pertinently, as I shall suggest below, I wouldn’t be at all surprised if Google’s practices, rather than they policies, were in breach of data protection law. They may well still be….
Facebook’s policy is to use your data, not to protect your privacy – isn’t it better to be open and say that?
Google’s policy is to aggregate all of your data – isn’t it better for them to be open and say that?
Policy and Practice
Finally, it should be remembered that policies are just words – what really matters isn’t what companies like Google and Facebook say they’re doing, but what they actually do. Very few people read privacy (or data use!) policies anyway. We don’t want companies to think changing privacy policies is a matter of good legal drafting – but a reflection of changing the way they actually operate, how they actually gather, hold and use our data, how they monitor us, profile us, target us and so forth. I hope that the investigation by the CNIL looks properly at that – and that the regular FTC privacy audits of both Facebook and Google do the same. I wouldn’t say I’m exactly optimistic that they will…
….at least not this time. However, I do suspect that the increase in awareness about privacy issues by both individuals and authorities is one of the reasons that policy and practice may be getting closer. Facebook and Google seem to be being more honest and open about how they deal with privacy – because they are realising that they may have to be. We’re starting to at least try to hold them to account. That must be a good thing.