Germany warns Google over data collection

Oct 01, 2014, 3:06 PM EDT
The Google logo is seen on a podium holding a bottle of beer in the company's offices on August 21, 2014 in Berlin, Germany.
Adam Berry/Getty Images

In another conflict for Google in Europe, a German privacy regulator has told the company that it must give users greater control over how much and what types of their data are used by Google to create profiles. The New York Times details:

The city of Hamburg’s data protection regulator, one of Germany’s leading data protection agencies, said in a legal ruling that Google must seek Germans’ expressed permission before it uses their data to create online user profiles across its services like email, online search and its Android-based mobile products.
The watchdog said that Google’s ability to aggregate such online data without people’s consent could allow the company to ascertain individuals’ financial information, relationship status and sexual orientation, which is illegal under German law.
The German regulator acknowledged that Google did not collect this delicate information to target advertising to people online. But it added that other information that the company aggregated without users’ consent could nevertheless allow the search giant to form a detailed picture of individual users.
Hamburg’s deputy data protection commission, Ulrich Kühn, told TechCrunch: “We see no legal grounds for such profiling across services.”
While Germany has a regional system of data protection authorities, owing to its federal state structure, the Hamburg authority told Reuters it is representing Germany as part of a European task force that is examining Google’s privacy policy.
Although the watchdog notes in the ruling that Google’s privacy policy excludes linking certain sensitive user data with advertising, it argues the company is still overreaching German law by joining up usage of multiple different services without individuals’ consent, and by not offering an opt-out.
“We ordered Google to achieve unambiguous user consent before combining user data from different services for purposes that are not strictly necessary to deliver the service. In some cases (e.g. pseudonymous user profiling), the implementation of appropriate mechanisms to opt out are sufficient,” said Kühn.