Can the egg be unscrambled?

Google’s cleverly constructed undertaking actually hides the fact that the largely cosmetic changes only apply to Google’s stated policy, not to the real practices that apply to its multitude of services.  Those practices will continue to foray into the privacy of its users.  That would not be a problem if users had genuine alternatives.  They would then be able to opt for services that respect their privacy.  However without such genuine alternatives  European citizens will still be forced to give up their data with little if any choice or control over how and where it is used. As a dominant player in the online market, Google still has few constraints on its ability to collect, combine and use data on European citizens as it wishes. Furthermore, the length of time it has taken for any action to be taken is unacceptable.

Over two years ago, data regulators from across Europe unambiguously concluded that Google’s updated privacy policy breached European data protection laws on numerous grounds and yet Google’s response was very limited. Indeed, they questioned regulators’ authority to act on the matter saying it was not within European regulators’ jurisdiction.

Over the last three years Google’s collection and use of personal data has effectively been outside of European law, there is no indication from today’s announcement that any action will be undertaken to redress this.

Today’s announcement makes it abundantly clear that further steps are needed from both the ICO and Google. But very importantly action from the EU and from the member states is needed to ensure that users have a real choice between services that do and don’t respect their privacy. As long as such a choice does not exist users need to receive real protection and control over their data, and Google should provide a clear opt-out option. Making minor clarifications on an already illegal policy does not change the fact that it remains an illegal policy.