PIPC expressed concern over Google's violation of personal information protection policy

The Personal Information Protection Commission pointed out that the Google's current privacy policy possibly violates the relevant Acts in Korea concerning 'the purpose of the personal information process and a minimal collection', 'the consent procedure of users’ and 'erasure of personal information', and, accordingly, it may collect and use more personal information than necessary and restrict the choices of users.
The Commission had a plenary meeting on June 11 and presented the comments with the above as the main agenda item.

A summary of what the Commission indicated about Google is as below:

Firstly, Google describes the purpose of the personal information process in an ambiguous and inclusive way, which allows it to collect and use an excessive amount of personal information;
Secondly, Google possibly violates user choices about personal information as Google seeks comprehensive consent of users en bloc for processing their personal information through the integrated policy;
Thirdly, Google fails to stipulate the details in the policy for immediate deletion of personal information where there are user requests.

The Commission decided that such problems of the Google policy may be in violation of Article 3 of the Personal Information Protection Act which regulated 'the specification of the purpose of the personal information process and the minimal collection of personal informatio', Article 15 and Article 22 of the Act about 'consent for the personal information process', Article 21 and Article 36 of the Act about 'erasure of personal information', and the relevant Act on Promotion of Information and Communications Network Utilization and Information Protection, Etc.

The Commission, with respect to this matter, indicated that Google rather aggravated the privacy policy under the pretext of 'keeping it as simple as possible' when they integrated the policy for over 60 services last March 1. Specific examples include the ambiguous and comprehensive revision of the purpose of processing personal information, vulnerability of the procedure of prior consent for use in addition to the purpose of processing personal information, and deletion of individual choice as personal information is integrated or combined.

The Commission has been paying attention to the situation and listening to comments from the parties concerned since Google's policy integration became the subject of discussion, has formed a Google Subcommittee and examined problems, and expressed its opinions considering the indications made by the Korea Communications Commission and measures taken recently by Google overall concerning the matter.

Mr. Im, Jong In (Chairman of Google Subcommittee), a member of the Personal Information Protection Commission, pointed out that Google's integrated policy should not become an indulgence to collect and use all types of personal information without limits, and emphasized that the present policy provisions for the comprehensive purpose and the procedure for collective consent, and the insufficient provision for the erasure of the personal information must be corrected as quickly as possible.


Personal Information Protection Commission

Decision

Title : Comments on Improvements of Privacy Policy of Google Inc.

Main Sentence



Google Inc. (hereinafter referred to as 'Google') set the purpose of collecting personal information comprehensively in its privacy policy, failed to provide choices for users, asked consent en bloc for collection and use of personal information, and keeps personal information for a period of time longer than necessary, resulting in possibly excessive collection and misuse and abuse of the information as a result.



Accordingly, the Personal Information Protection Commission decided that collection and use of personal information by Google may be in violation of 'specification of purpose' and 'minimal collection of personal information'regulated in Article 3 and Article 16 of the Personal Information Protection Act and Article 23 of the Act on Promotion of Information and Communications Network Utilization and Information Protection, Etc. (hereinafter referred to as the 'Information and Communications Act'), Article 15 and Article 22 of the Personal Information Protection Act and Article 22 and Article 26 (2) of the Information and Communications Act which stipulated 'consent for collection and use of personal information', Article 21, Article 36, and Article 37 of the Personal Information Protection Act, and Article 29 and Article 30 of the Information and Communications Act which regulated 'erasure of personal information', and to pronounce an opinion that Google's privacy policy shall be improved as below:



1) The purpose of collecting personal information shall be specified more clearly, and personal information required for the purpose and services shall be collected and used to the minimum extent;



2) Where personal information shall be used for other purposes than 'the purpose at the time of collecting the information' or services which have to respect the choices of individuals such as a provision of customized individual contents shall obtain additional consents;



3) The principle of erasing personal information immediately shall be specified in the policy where the holding period of personal information shall be expired or a data subject requests for erasure of the information;



Reason

Background of Recommendation


On January 24, 2012, Google announced a plan to integrate their privacy policy for users of over 60 of their services including search, mail, and YouTube starting March 1. Wary of misuse and abuse of personal information, EU asked Google to delay the integration of policy until the end of the inspection but Google moved ahead last March 1.



Meanwhile, the Korea Communications Commission pointed out on February 28, 2012, that Google's privacy policy, to be changed on March 1, might have been partially insufficient to comply with the Information and Communications Act and recommended that it be improved. Google posted 'additional information related to personal information for residents in Korea' based upon a guide to the purpose of use, collected information, and the use of multiple accounts on the homepage for this on April 16.



Following an overall examination of Google's privacy policy, the indications of the Korea Communications Commission, and measures taken by Google, the Personal Information Protection Commission decided that the privacy policy still may be in violation of the Personal Information Protection Act and the Information and Communications Act.



Judgment


'Specification of Purpose and Minimal Collection of Personal Information'



Google may be in violation of Article 3 and Article 16 of the Personal Information Protection Act and Article 23 of the Information and Communications Act because Google set a comprehensive policy on the collection and use of personal information, and collected an overly excessive amount of information based on the privacy policy.


Regulations


The Personal Information Protection Act stipulates that "a personal information controller shall make clear the purpose of managing personal information, collect personal information lawfully and legitimately, and limit the collection to the minimum extent necessary to achieve such purpose." (Article 3 Clause 1) and "a personal information controller shall collect the minimum information necessary for achieving the purpose thereof. In such cases, the personal information controller is responsible for proving that he/she collects the minimum personal information." (Article 16 Clause 1) respectively.



Moreover, the Information and Communications Act states that "A provider of information and communication service shall collect the information to the minimum extent to provide the information and communication service where he/she shall collect personal information of users."(Article 23 Clause 2).



For reference, the OECD Privacy Guideline also limits the use of personal information for different purposes together with the 'purpose specification principle' concerning the matter.



Specific Violations


Google specified that it collects information "to provide better services to all of our users." Google also stated that "We use the information we collect from all of our services to provide, maintain, protect and improve them, to develop new ones, and to protect Google and our users. We also use this information to offer you tailored content – like giving you more relevant search results and ads."



Such collection and use of personal information is highly inclusive and may provide a basis for overly excessive collection and use of personal information. Additionally, collection and use of personal information "to provide better services" or "to develop new services" may be used as grounds to justify unlimited collection of personal information in the future as well as the present.



Likewise, to use personal information "to protect Google and our users" is highly likely over-application as it not only failed to have a direct relationship with Google services but also omitted a specific purpose. The provision is rather regression of the previous provision 'to protect the rights or property of Google or our users' in the policy and violates the spirit of the law which requires a collector of personal information to specify the purpose of processing personal information.



Google specified in the policy that they may collect ① Information users give Google (name, email address, telephone number or credit card) and ② Information Google gets from use of their services by users (device information, log information, location information, unique application numbers, local storage, cookies, and anonymous identifiers).



However, these are just examples of the information that Google may collect. Google may share things with other users and combine personal information from one service with information, including personal information, from other Google services. Google specifies that it may collect "more complex things like the people who matter most to you online" in addition to figuring out basic information based on the sharing and a combination of the information. A wide range of personal information that may show personal behavior including personal interest and preferences may be created and used during the process, which may also include collection and use of sensitive personal information that was unintended to be given by users when they provided the information initially.



When using Google Voice, for example, all types of calling records including user phone numbers, calling-party numbers, forwarding numbers, time and date of calls, and duration of calls may be collected, and location information may be collected when Google Maps is activated. Where the two sets of information are combined, more specific information such as who, when, where, and what may be created and even personal interest and preferences can be identified. This may be considered to be excessive personal information that goes beyond the bounds of collection and use of personal information as it is specified in the policy provisions.


Consent Procedures for Collection and Use of Personal Information



Since Google failed to specify details on the types of personal information to be collected, the purpose of collecting personal information by type, and the retention period for personal information when they stated the necessity for obtaining personal information collected for each of over 60 services, and asked for consent en bloc through the integration of the privacy policy, it is possibly in violation of Article 15, Article 18, and Article 22 of the Personal Information Protection Act and Article 22 and Article 26 (2) of the Information and Communications Act for consent procedures of collection and use of personal information.


Regulations


According to the Personal Information Protection Act, a personal information controller shall notify a data subject "1. Purpose for which personal information is collected and used; 2. Items of personal information to be collected; and 3. Period for which a recipient of personal information is held and used etc." and obtain consent, and when the personal information controller changes any of the matters, he/she shall inform the same and obtain consent thereto (Article 15 Clause 2). "When a personal information controller obtains the consent of a data subject, he/she shall classify respective matters requiring consent and notify the data subject of such matters to clearly understand them, and obtain consent respectively to such matters" (Article 22 Clause 1). It also requires that a personal information controller may obtain additional consent of the data subject where he/she shall use personal information for any purpose other than the intended ones or provide a third party with such information (Article 18 Clause 2).



Meanwhile, the Information and Communications Act stipulates that a provider of information and communication service shall notify users "1. Purposes for which personal information is collected and used; 2. Items of personal information to be collected; and 3. Period for which a recipient of personal information is held and used;" and obtain consent, and when the service provider changes any of the matters, he/she shall inform the same and obtain consent thereto (Article 22 Clause 1).



Specific Violations



Google listed the personal information that used to be collected for each of over 60 services in their integrated policy en bloc and asked for consent. Thus, it is hard for users to identify for which services their specific personal information is obtained or how it is used, which may lead to the possible misuse and abuse of the information for any purpose other than the intended ones as the personal information sharing between services becomes free.



For this matter, Google specified in their previous policy that "We will ask for your consent before using information for a purpose other than those that are set out at the time of collecting personal information" but they changed it into asking for consent of users before using information for a purpose other than those that are "set out in this Privacy Policy" instead of "set out at the time of collecting personal information" in the present policy. Therefore, giving consideration to the inclusive purpose of the Google Policy pointed out previously, it is deemed that the possibility of using personal information for purposes other than those that are set out in the policy without additional consent procedures for users is increased.



Google stipulated in the policy that they may combine personal information from one service with information from other Google services 'to improve the overall quality of our services' or 'for user experience.' The combination may create a wide variety of new information that may be difficult to predict by users. That Google asked for inclusive consent through the policy is in violation of the relevant Acts and may restrict the choices of individuals. In the previous policy of Google, it was possible "for users to disallow the combination of information in some services" for the combination of personal information from one service with information from other Google services or with information provided by a third party, whereas the present integrated policy deleted the provision.



Google's so-called 'tailored content' is a customized service for individuals because of the nature of the service, and the content and the level of the service must be chosen by the individual. Therefore, the tailored content must provide its specific content to individuals and ask for choices of or have consents of individuals rather than obtaining consents en bloc through the integrated policy.


Erasure of Personal Information



Google failed to specify the retention period of personal information in the privacy policy and to delete the personal information immediately upon user requests for deletion, which violates Article 15, Article 21, Article 36, and Article 37 of the Personal Information Protection Act and Article 29 and Article 30 of the Information and Communications Act.


Regulations



The Personal Information Protection Act sets out that when a personal information controller obtains personal information, he/she shall notify a data subject of the 'period for which personal information is held and used' (Article 15 Clause 2), 'When personal information becomes unnecessary as its holding period expires, its processing purpose is achieved and by any other ground, a personal information controller shall erase the personal information without delay" (Article 21 Clause 1), "Upon receiving a request from a data subject, a personal information controller shall take necessary measures, such as correction, deletion, etc. based on a request from the data subject, and notify the data subject of the result" (Article 36 Clause 2), and "A personal information controller shall immediately take necessary measures, such as the erasure, etc. of the relevant personal information, the process of which is suspended at the request of a data subject"(Article 37 Clause 4).



In the meantime, the Information and Communications Act stipulates that 'a provider etc. of information and communication service' shall erase the relevant personal information without delay "as its processing purpose is achieved and its holding period expires" (Article 29) and "a provider etc. of information and communication service shall take necessary measures, such as correction, deletion, etc. upon withdrawal of consent by users pursuant to Clause 1."(Article 30 Clause 3).



Specific Violations



Google provided more detailed information on "retention and erasure of personal information' in "additional information related to personal information for residents in Korea." However, they still failed to specify the period for which personal information is held and used saying that 'we strive to give you ways to delete it' upon receiving a request for erasure from the data subject, and explained only about the Google archive system. It is deemed that Google has to improve the relevant policy provisions including the specification of 'erasure' of personal information instead of 'strive' upon receiving a request from users for the specification of the Acts concerned in Korea and to guarantee 'the right to be forgotten' that is discussed across the globe.