EU v Google: Why ask one question when you can ask 69?

Late on Monday it emerged that the French data watchdog CNIL — which has been conducting an investigation into Google’s new privacy policy on behalf of the European Commission — had sent a letter to the search giant with a list of 69 questions.
Well, really, it’s 68 questions and an offer for additional remarks. But they are very specific and aimed at interrogating some of the actions that Google claims it feels are necessary to operate (you can see the full list on CNIL’s website.)
Why? You’ll remember that CNIL previously questioned the legality of Google’s recent privacy changes, which came into force at the beginning of March. Under the new rules, users who want to use one Google service cannot opt out of having their information used by all Google services — something that generated plenty of concern at the time.
The watchdog says Google should respond by April 5, which gives the company another two and a half weeks to get its lawyers on the case.
So what is Europe asking now, exactly?
Really, the several dozen questions boil down to a few major topics — basically probing what data Google collects, why, and what the real impact of the new rules is likely to be. There is also plenty of effort in trying to unpick some of the language that Google uses,
Here are the big issues, as I see it:

  • Obscurity: Did a significant proportion of Google users actually visit the privacy site? Why did some of the terms and conditions change? Why isn’t there an easy way to opt out?
  • Detail: What are the actual pieces of data that are being shared across Google services? If Google is collecting “sensitive data”, what is it and what is it used for? What anonymization or pseudonymization does Google use on data that it examines? How does Google stop people from outside Google joining the dots?
  • Persistence: Why can’t Google delete all of a user’s data if the account is closed, and how persistent are cookies for users who aren’t signed in? What happens to data from users who turn off their web history or don’t sign in? Can browser settings override Google’s tracking services?
  • There are plenty of sub-questions inside each of these, but really the legalese used by CNIL is an attempt to clarify the specifics and prevent Google from finding much wriggle room.
    It would, of course, be much easier if Europe could ask — or, more accurately, if Google would answer — the single question that runs underneath all of these ones. Why change your privacy policies like this? But the world is never simple, especially not when profit is involved.