Points de vue alternatifs

Analyse et veille des médias internationaux : géopolitique, économie, numérique...


La politique de confidentialité de Google viole les lois néerlandaises (régulateur)

Publié par Kiergaard sur 29 Novembre 2013, 00:28am

Catégories : #Numérique

La politique de confidentialité de Google viole les lois néerlandaises (régulateur)

La Dutch Data Protection Authority a rendu jeudi 28 novembre les conclusions de son enquête visant à déterminer si la politique de confidentialité de Google était conforme au droit néerlandais de protection des données personnelles. Selon l'autorité (semblable à la CNIL), cette politique viole la loi de protection des données personnelles néerlandaises.

Communiqué
Rapport (traduction anglaise)

  • Au delà de la caractérisation de violations, le rapport est une manière de mieux comprendre comment fonctionne la politique de confidentialité des géants du numérique. Le rapport est très détaillé et permet de saisir la complexité de ce fonctionnement.
  • Interrogé par Reuters, le directeur de l'agence de régulation néerlandaise aurait déclaré : "Google tisse un web invisible constitué de nos données personnelles [...] c'est interdit par la loi" ("Google spins an invisible web of our personal data, without consent," said Jacob Kohnstamm, the chairman of the DPA. "That is forbidden by law." [source])
  • Le sommaire du rapport est particulièrement bien construit et permet d'embrasser en 4 pages l'intégralité des éléments contenus dans le rapport.

"Because Google has no legal ground for processing the data for the four examined purposes, the personal data collected by Google from all three types of users are not being collected for legitimate purposes (as being examined here), with the result that Google is acting in breach of the provisions of Article 7 of the Wbp* in this respect as well."
* Wet bescherming persoonsgegevens (loi de protection des données personnelles néerlandaise)

"Because of the lack of information on its identity as data controller on the YouTube website, the fragmented and inconsistent method of providing information and the lack of specific information about the types of personal data and the purposes for which Google combines these data, Google is acting in breach of the provisions of Articles 33 and 34 of the Wbp."

"However, there is no evidence of unambiguous consent as referred to in Article 8, opening words, and (a) of the Wbp, since Google does not offer data subjects any (prior) options to consent to or reject the examined data processing activities"

"Finally, consent – unambiguous or otherwise – requires the information to be specific and the data subject to be informed. As shown above, Google does not adequately inform users about the fact that it combines personal data from different services, with or without the aid of cookies." (Il y a bien le : "acceptez d'utiliser nos cookies où n'utilisez pas nos services...")

L'étude est centrée autour des questions suivantes :
"The investigation focused on the following questions:
- Are certain data which Google collects and processes personal data as defined in Article 1, opening words, and (a) of the Wbp?
- Does the new privacy policy, in combination with additional information, provide data subjects with the information referred to in Articles 33 and 34 of the Wbp?
- Does Google have a legal ground for combining (processing) data from different services as referred to in Article 8 of the Wbp?
- Are the purposes for which Google processes data (in the context of the combining of data) legitimate and specific as referred to in Article 7 of the Wbp? This relates in particular to the following purposes:
1. the provision of services to passive users
2. product development
3. advertising purposes
4. analytical purposes
- Are the personal data that Google collects and processes for the aforementioned combination purposes relevant and not excessive, as referred to in Artic
le 11 of the Wbp?"

=>


In brief, the CNIL concluded that Google:
1. is acting in breach of its obligation to provide information, especially in respect of ‘passive’ users;
2. has no legal ground for the combining of data from various services for a number of specific purposes;
3. wrongly omits to state retention periods either in its privacy policy or in its communication with the data protection auth
ority.


Archives

Nous sommes sociaux !

Articles récents