Google calls for international privacy laws and policies

The head of privacy at Google is urging the governments of the world to adopt a unified set of privacy laws to protect personal data online. A non-binding framework that is already used by Asia Pacific nations is recommended for global use.

The Google executive will today launch an appeal to governments to set minimum privacy standards. This is despite Google itself being roundly criticised for its own privacy standards by, amongst others, European privacy watchdogs.

"Google believes we need to work together to create minimum global standards partly by law and partly by self-regulation," said Google's global privacy counsel Peter Fleischer in a conference call to journalists."We need a collaboration between government and the private sector."

Peter Fleischer has said that countries should all adopt guidelines agreed between Asia Pacific nations, the Asia-Pacific Economic Co-operation (APEC) privacy framework. This has been supported by countries such as Australia and Vietnam.

"If privacy principles can be agreed in such divergent countries, then we think that is a model for the rest of the world. What we see is a lack of privacy standards around the world," said Fleischer.

European privacy regulation is controlled primarily by the EU Data Protection Directive which all member states must put into national laws. There is little other consensus around the world on how privacy should be governed.

The APEC Privacy Framework comprises a set of nine principles: preventing harm; notice; collection limitations; uses of personal information; choice; integrity of personal information; security safeguards; access and correction; and accountability.

From Principle II, 'Notice':

Personal information controllers should provide clear and easily accessible statements about their practices and policies with respect to personal information that should include:

a) the fact that personal information is being collected;

b) the purposes for which personal information is collected;

c) the types of persons or organizations to whom personal information might be disclosed;

d) the identity and location of the personal information controller, including information on how to contact them about their practices and handling of personal information;

e) the choices and means the personal information controller offers individuals for limiting the use and disclosure of, and for accessing and correcting, their personal information.

"The APEC Privacy Framework is a practical policy approach to enable accountability in the flow of data while preventing impediments to trade," said an APEC statement. "It provides technical assistance to those APEC economies that have not addressed privacy from a regulatory or policy perspective. The Framework will enable regional data transfers to the benefit of consumers, businesses and governments."

Fleischer emphasised the focus of the APEC rules on the harm caused by an event. "Privacy standards should focus on actual harms to consumer privacy. Other countries have an ideological bent. APEC has a pragmatic focus on privacy harms," he said.

Fleischer said that he had discussed the plan with national privacy regulators and that the plan had already received the approval of Spanish and French watchdogs.

Google kick-started a privacy debate earlier this year when its announcement that it would delete identifying information from stored search logs after two years alerted watchdogs and consumers to the fact that Google and other search engines kept that link at all.

After an outcry and condemnation from EU data protection officials, Google reduced that term to 18 months and other search companies revised their policies. Data protection experts still claim that 18 months is too long, though.