Google and Facebook under fire from Dutch government over citizens’ privacy

library
crime | hacking | security

The Dutch government is clamping down on the way in which large organisations use its citizen’s personal data.

The Dutch Data Protection Authority (DPA) threatened Google with a fine of €15m (£11.9m, $18.7m) on Monday, saying the search giant had breached various provisions of the Dutch data protection act via a privacy policy it introduced in 2012.

The company has been given until the end of February 2015 to change how it handles personal data, especially in regard to the tailoring of adverts based on keyword search queries, video viewing habits, location data and the content of email messages.

Jacob Kohnstamm, chairman of the Dutch DPA, said:

Google catches us in an invisible web of our personal data without telling us and without asking us for our consent. This has been ongoing since 2012 and we hope our patience will no longer be tested.

Kohnstamm explained how, under Dutch law, Google should have informed users that it was gathering data across a number of platforms – such as YouTube and Gmail – and obtained permission before combining or analysing that data.

The regulator has now demanded that Google obtains “unambiguous” consent from users before combining their data, “via a separate consent screen”, rather than through its more generalised privacy policy.

It also ordered the company to add clarification to the policy so that users are better informed as to how each of the company’s services is using their data.

Furthermore, Google is required to make it clear that YouTube is part of its setup, though the DPA did note that this already appeared to be underway.

Five other regulators – in France, Germany, Italy, Spain and the UK – have recently received a letter from Google detailing how it intends to comply with European privacy laws but the Dutch DPA says it has yet to establish whether the proposals will suffice within its own jurisdiction.

While the DPA’s gripe with Google awaits resolution, it has now moved onto fellow data gatherer Facebook.

In another statement (in Dutch – view Google translate version) released on Tuesday it announced it would investigate Facebook’s new privacy policy.

The social network announced last month that it intends to make changes to its policy, effective from 1 January 2015.

As Facebook has a physical presence in the Netherlands, the DPA says it is authorised “to act as supervisor”, as per a European Court of Justice ruling on Google vs. Spain on 13 May 2014 (the ‘right to be forgotten‘ case).

As such, it has asked Facebook to hold fire on its new privacy policy until it has had the chance to investigate how the changes may impact Dutch users, including how Facebook obtains permission for the use of their personal data.

The latest iteration of the policy states that Facebook can use:

your name, profile picture, content, and information in connection with commercial, sponsored, or related content (such as a brand you like) served or enhanced by us. This means, for example, that you permit a business or other entity to pay us to display your name and/or profile picture with your content or information, without any compensation to you. If you have selected a specific audience for your content or information, we will respect your choice when we use it.

Given how the key points of the policy have not changed since it was last revised in November 2013, it seems unlikely Facebook will comply with the DPA’s wishes.

According to The Telegraph, the company responded by highlighting how it is “a company with international headquarters in Dublin”, which routinely reviews its policies and procedures with its own regulator, the Irish Data Protection Commissioner.

Facebook said it is confident that its new privacy policy is compliant with all relevant laws.