After initially reviewing the proposed changes to Google’s policy, CNIL let Google know that they have some questions about the policy. While the French government had hoped Google would delay the change in policy, Google did not. Google did however, respond to the French government and let them know they were “keen to answer questions” from CNIL. CNIL apparently solicited the help of all the other European Data Protection Agencies in developing the 69 questions.
More after the break
CNIL is looking for answers to the questions from Google CEO Larry Page, by April 5, 2012. CNIL did place the letter and questions on their website, but let Page know they wouldn’t post the answers to the questions in public without Google’s permission, otherwise the answers will become confidential.
In four questions under the heading “Mobile Platforms” CNIL drills in on the Android operating system. One key point that seems to be under scrutiny is the requirement to have a Google Account in order to use the Android operating system. As you are probably aware, to use a Google approved Android product, such as a phone or tablet from any of the major OEM’s you DO need to have a Google Account.
CNIL is also concerned about the phones anonymous identifier. Google states that every phone has a unique identifier and than later on talks about an anonymous identifier. In one of the questions, CNIL is trying to figure out if the unique identifier is anonymized on the device side or server side.
Here are the questions that are specific to Android, outside a set of questions about advertising:
Mobile devices such as smartphones contain personal data like contact lists, phone numbers, unique
mobile device identifiers, SMS and location data, which may be accessible by mobile applications in
QUESTION 61. Please clarify how an Android user is informed that creating a Google Account is
optional to use its device.
Google Mobile Applications?
B) On mobile platforms, please specify if a distinction is made between authenticated users, nonauthenticated users and passive users.
QUESTION 63. Please indicate how Google Services inform users and request consent before
accessing data stored in a mobile device (such as contact lists, phone numbers, SMS, unique
mobile device identifiers and location data), having regard to article 5(3) of the revised ePrivacy
QUESTION 64. This question attempts to clarify the nature of the relationship between the “device
identifier” (hereafter referred as “real device identifier” for clarity) and the “anonymous device
identifier” described in the Google privacy FAQ.
In the Google privacy FAQ, it is indicated that if Google receives a real device identifier, an
anonymous device identifier is created and associated with the user’s device. Please indicate if
the real device identifier is transmitted to Google over the network or if the computation of the
anonymous device identifier is done by the application in the user’s terminal without a
transmission of the real device identifier outside the phone, to Google.
The remaining 65 questions are just as specific. Someone at Google has their work cut out for them. As we said above, the letter references the fact that all of the European Data Security Agencies were involved in the formation of these questions. Perhaps this may become an issue for the European Union later on.
As for the Android specific questions, I am sure plenty of American Android users would like to know the answer.