The "Article 29 Data Protection Working Party" issued a guidance for Google to ensure that the search giant's Privacy Policy agreement is in compliance with EU data protection laws.

The good news is that you can also apply the points in this guidance to the Privacy Policy agreement of your own web site, mobile app, SaaS app and even Facebook app.

The Article 29 Data Protection Working Party group was founded in 1996 after the launch of the "Data Protection Directive". It's composed of representatives from data protection authorities from across EU member states, the European Data Protection Supervisor and the European Commission.

According to their Wikipedia page, the group aims to:

  • Give expert advices to EU States regarding data protection
  • Promote the same application of the Data Protection Directive in all EU state members, as well as Norway, Liechtenstein and Iceland
  • Give to the EU Commission an opinion on community laws (first pillar) affecting the right to protection of personal data

In 2012, the EU data protection authorities launched a thorough investigation on the Privacy Policy of Google to assess their compliance with European Data Protection legislation, followed by national procedures in some EU member states in 2013 and 2014.

In a letter addressed to Google CEO Larry Page, the data protection authority said they found a slew of issues, some of which even concluded that Google's "current Privacy Policy did not meet the requirements laid down by national laws."

The group furthers:

Google must meet its obligations with respect to the European and national data protection legal frameworks and has to determine the means to achieve these legal requirements. In order to guide Google in this compliance effort, the Article 29 Working Party has developed guidelines containing a common list of measures that your company could implement. A draft version was presented to representatives of Google on 2 July 2014, at a meeting in Paris in presence of five European Data protection authorities.

The Article 29 Data Protection Working Party crafted a guidance advising Google to make their Privacy Policy immediately visible without scrolling and accessible with one click and applicable to every type of device - be it desktop, mobile or device.

It also suggests that Google provides a place or some sort of a unified dashboard where users can manage and control the usage of their personal data across all Google services with ease, as well as fine-tune their data retention policies to ensure that retention period is reasonable and that it is in line with the proportionality principle.

The guidance was divided into three parts, namely: information, user controls, and data retention policy.

This guidance given to Google can be applied to your own Privacy Policy and Terms of Service agreements.

Here's what you can take from the Article 29 Data Protection Working Party's guidance to Google and apply to your own legal agreements:

  • Your Privacy Policy should be visible and accessible.

    The Privacy Policy should be accessible without scrolling and with just one click, without going through multiple pages to find it.

  • Structure your Privacy Policy properly.

    Provide clear information about what kind of data you collect and process. Include a list of types of personal information you collect.

  • Identify yourself.

    Let users know who you are. For example, Google identifies itself as the controller of data of YouTube.com

  • Don't forget third parties.

    When you allow a third party to collect personal data from your users in your name, e.g. MailChimp to collect email address, you have to inform users about the kind of third parties you're using and how they are using the collected personal data.

  • Ask for consent.

    Users should be informed about your Privacy Policy and policies you have over data collected and you should get their consent.

  • Avoid ambiguous language.

    Use simple language in your Privacy Policy.

  • Instruct employees to get users' consent.

    If you launch new features or services that are requiring new personal information from users, implement internal policies to instruct your employees that users must give their consent.

  • Same policies regardless of device.

    Your Privacy Policy and your internal policies regarding users' personal information must apply regardless of the device or platform used: website, mobile app, device etc.

  • Multi-layer approach.

    Approach drafting your Privacy Policy with a multi-layer approach: first, state the general policy regarding personal information, then go into specifics, and so on.

  • Provide tools for users to manage their personal data.

    If your business is a SaaS business, consider implementing tools and dashboards where users can manage the use of their personal information stored with you.

  • Consent, object and remove.

    If you implement a dashboard, users should be able to consent to the collection of their personal data, but also to object to it or remove already stored data.

  • Default settings must be privacy-friendly.

    The default settings of the dashboard should be privacy-friendly.

  • Dashboard for non-registered accounts.

    If the dashboard is available only for registered accounts, have a separate dashboard for non-registered accounts where they can view and manage how you collect personal data from them, if they are not logged into your website or mobile app.

  • Timing.

    When asking users for consent, the consent must be asked before you start collecting and processing data.

  • Use different cookies.

    If you operate multiple services, like Google does (Gmail, YouTube etc.), have multiple cookies. This would allow users to have more control over the data collected.

  • Consent for cookies.

    If you use cookies, ask for consent to store and use cookies. Also use a Cookies Policy.

The following tips regards Data Retention from the Data Protection Directive (EU):

  • Retention period must be reasonable.

    The retention period of the collected data must be reasonable and have a legal basis. This must apply to both passive and active users of your website or mobile app.

  • Comply with proportionality principle.

    Data retention must comply with the proportionality principle.

    Proportionality is defined like this, in the Data Protection Directive:

    Personal data may be processed only insofar as it is adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed. The data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified; The data shouldn't be kept in a form which permits identification of data subjects for longer than is necessary for the purposes for which the data were collected or for which they are further processed. Member States shall lay down appropriate safeguards for personal data stored for longer periods for historical, statistical or scientific use.

  • Properly anonymize data.

    If you anonymize data, disclose the anonymization process. Also, read the recommendations of Article 29 Working Party Opinion 5/2014 on anonymization.

Privacy Policy Generator
Comprehensive compliance starts with a Privacy Policy.

Comply with the law with our agreements, policies, and consent banners. Everything is included.

Generate Privacy Policy