Google did this in the face of a stern warning, from Isabelle Falque-Pierrotin, that the new policy might not meet the requirements of the European Directive on Data Protection. "Well, hey, we're Google and who the heck is Isabelle Falque-Pierrotin?" seemed to be the response from the "Don't Be Evil" empire.
In case you are asking yourselves the same question, Ms. Falque-Pierrotin heads up the Commission Nationale de L'Informatique et des Libertés (CNIL), an independent administrative authority based in France.
Why should Google care?
Google should care because the CNIL supervises compliance with data privacy legislation and was invited by the EU's Article 29 Working Party to inspect the new Google policy on behalf of data protection authorities across the community.
In simple terms, as far as Google is concerned, Ms. Falque-Pierrotin is Europe. Ignoring her may not have been the smartest move.
Google has been summoned to a meeting with the CNIL next week (which, of course, it "welcomes") to explain the responses the search giant provided to a CNIL questionnaire. CNIL has questions:
We are not totally satisfied with their responses so we have set up this meeting to discuss the issues with Google. We want to untangle the precise way that specific personal data is being used for individual services, and examine what the benefit for the consumer really is.
Just to translate this for Google: Europe thanks you for your offer of a "beautifully simple, intuitive user experience," but Europe still wants to know what this actually means when it comes to personal data and individual liberties. (Europe is still big on individual liberties.)
Following the meeting, the CNIL plans to confer further with other EU data regulation authorities before issuing a report.
I can see no reason for Google to be optimistic about the outcome of this investigation. After all, this message to Google from February 28 is still pinned at the top of the CNIL Website's front page:
By merging the privacy policies of its services, Google makes it impossible to understand which purposes, personal data, recipients or access rights are relevant to the use of a specific service. As such, Google's new policy fails to meet the requirements of the European Data Protection Directive (95/46/CE) regarding the information that must be provided to data subjects.
It's conceivable that Google will be asked to make only minor changes to the new policy. The chances of it receiving a clean bill of health, given the regulator's preliminary findings, seem to me to be approximately zero. The worst scenario for Google -- a rejection of Google's key strategy of integrating data from different services -- seems a perfectly possible outcome.
If that occurs, the consequence might be a global rethink of the policy by Google, as administering different privacy policies in different territories would be a logistical nightmare.
Is it possible that Google still thinks there's a way to ignore, defy, or manoeuvre around the CNIL's ultimate findings? Or will 2012 be the year that data-grabbing by major Internet enterprises finally gets stuck in the legal mud?
An old rhyme comes to mind:
Don't care was made to care,
Don't care was hung:
Don't care was put in a pot
And boiled till he was done.
— Kim Davis , Community Editor, Internet Evolution