Google’s new privacy policy took effect last Thursday, following several weeks campaigning to educate users on the changes. The policy will allow them to consolidate users’ data across all of its services and platforms, in a move they claim will both improve user experience and make their policy “easier to understand.” The international privacy community, however, is having none of it. Lawmakers, privacy authorities, technical experts, and privacy organizations around the world are releasing public statements and direct letters to Google representatives that are critical of the new policy. Advocacy groups criticize and condemn the changes, and the European Union, Japanese, and Canadian privacy authorities have released statements indicating that the new policy may violate their domestic privacy laws. Google meanwhile, seems to be ignoring the global outcry, dismissing criticism as “chatter and confusion.”

The opposition to Google’s changes expresses several points of concern. The privacy commissioner of Canada, Jennifer Stoddart concisely described the specific concerns. First, it will share users’ data across its more than 60 services, including all Google applications, subsidiary websites such as Youtube, and Android phones. Additionally, the consolidation of all of the previous service-specific plans makes it hard to tell what data will be retained, for how long, and what Google plans to do with the data that they collect on their users. This is significantly worrying for Android users whose device information, log information, and locational information can now all feasibly be collected. It is clear that this data integration will significantly facilitate their ability to personalize their services to their users. What is not clear are all the new unforeseeable ways the company plans to use this data.

Criticism has been aimed at Google for being vague about the changes as well as failing to consult privacy advocates about the new policy. Despite their efforts to educate their users on how they would be impacted, Google’s early explanations were not specific was substantively changing in the new policy. In fact, it took a letter from eight Congressional representatives to get them to provide straight-forward answers. The criticism levied from various entities in reaction vary from polite expressions of concern to curt demands to halt the plan altogether.

The French Data Protection Agency, on behalf of European privacy authorities, warned that Google's proposed change violates European Union privacy law [pdf]. In a letter to Google CEO Larry Page, the French agency criticized the company for not well informing data protection authorities in the EU, despite claiming to have “extensively pre-briefed” them. The official also criticizes the policy itself:

The CNIL and the EU data protection authorities are deeply concerned about the combination of personal data across services: they have strong doubts about the lawfulness and fairness of such processing, and about its compliance with the European Data Protection legislation…

If the new policy does indeed violate the European Directive on Data Protection, Google will face a big challenge in Europe.

The Australian Privacy Foundation (APF) had made efforts to compel state agencies to take action in light of the Foundation’s policy statement outlining specific critiques of the changes. Shortly after Google announced the new policy, APF sent a letter [pdf] to the Australian consumer protection agency to investigate the changes in order “to assert relevant laws and communicate to Google the serious public policy concerns.” The consumer protection agency has yet to respond.

The APF also sent a similar letter [pdf] to the Office of the Australian Information Commissioner with their policy statement attached. Timothy Pilgrim, the Australian Privacy Commissioner, responded a month later, roughly 36 hours left before Google's notice-period would expire. The letter is less critical of than the APF’s original critique.

The Japanese government’s Ministry of Internal Affairs and Communications together with the Ministry of Economy, Trade and Industry also released a statement to Google before the new policy, that it must respect privacy laws and regulations. The letter came out of concerns that the new policy could lead to violations of personal data protections laws in Japan. It asked the company to provide clearer explanations of the new rules and allow users to ask questions about the policy even after it has been initiated.

Despite the criticisms, Google’s official blog continued to defend its new policy, emphasizing that they made the changes to benefit the users:

We continue to look for ways to make it simpler for you to understand and control how we use the information you entrust to us. We build Google for you, and we think these changes will make our services even better.

But consumer groups disagree. The Transatlantic Consumer Dialogue, a coalition of consumer organizations in North America and Europe, urged [pdf] Google CEO Larry Page to drop the new policy changes:

Consumers in Europe, Canada, and Mexico have had the benefit of privacy law and privacy agencies. Consumers in the United States rely on a patchwork structure, including the US Federal Trade Commission, to protect their interests. And Internet users around the world rely on the integrity of your company, and on you, to do the right thing. Their eyes are all on you… …Going forward with this plan will be a mistake. We ask you to reconsider.

~

Before the policy took effect March 1st, EFF published two tutorials for users on how to delete their viewing and history on Youtube and Google Web History.

We've also outlined six tips on protecting your search privacy.