Google's Paying Clients Exempt from Privacy Policy?

Google Says Yes, Advocacy Group Raises Doubts
Google's Paying Clients Exempt from Privacy Policy?
Google says its new privacy policy that has some privacy advocates up in arms will not have the same impact on businesses and government agencies that pay for its commercial Google Apps services as it does on its nonpaying users.

But a privacy advocate contends some Google Apps for Government customers' contracts state they must adhere to the published privacy policy.

See Also: How Tri-Counties Regional Center Secures Sensitive Files and Maintains HIPAA Compliance

The new privacy policy, unveiled Tuesday, takes effect March 1 and would allow Google to share data among its various cloud computing services such as Gmail, Picasa and YouTube.

Google contends it treats its paying customers differently than nonpaying ones. "Enterprise customers using Google Apps for Government, Business or Education have individual contracts that define how we handle and store their data," Google Enterprise Vice President Amit Singh said in a statement.

Singh said Google will maintain its enterprise customers' data in compliance with the confidentiality and security obligations provided to their domain. "The new privacy policy does not change our contractual agreements, which have always superseded Google's privacy policy for enterprise customers," he said.

Singh's comment came after SafeGov.org, a cloud security forum co-founded by Karen Evans, the top information technology leader in the George W. Bush administration, issued a statement Wednesday that the new Google policy raises serious privacy concerns for paying Google Apps for Government users.

SafeGov.org's Jeff Gould didn't buy Singh's explanation, saying published Google Apps for Government contracts suggest otherwise (see Google Should Allow Governments to Opt Out). Gould cites a city of Los Angeles contract that states that Google's standard privacy policy applies to it, and the contract's appendix points to a page on Google's website that says the existing policy will be replaced by the new policy on March 1. "Google needs to clear up the confusion here once and for all," he says.

Gould says Google should publish an explicit privacy policy pledging to government users that their information will not be data mined for any purpose unrelated to government business. "The default setting for Google Apps for Government - and all similar products from Google competitors - should be no information sharing at all between services and no data mining," he says. "If Google wants to be a credible player in the government market, it should recognize that Google Apps for Government users have more sensitive privacy needs than consumers using a free service and cannot serve as advertising fodder."

After Gould's latest comment, made Thursday evening, we sent an e-mail query to Google seeking further clarification of its privacy policy. On Friday, a Google spokesman reiterated that the Federal Information Security Management Act and individual customer contracts define how government customers' data are handled and supersede the company's privacy policy for those customers. In July 2010, Google became the the first suite of cloud computing applications to win FISMA certification and accreditation from the General Services Administration (see GSA Certifies Google Apps for Government Cloud).

Spell Out Rights in Contract

Data privacy lawyer Francoise Gilbert of the IT Law Group says cloud service providers generally don't seek to control paying customers' data. "In general, when a company pays for a service, most service providers will not use the data per se; that is, they would not create databases and start emailing your customers," says Gilbert, who has negotiated contract terms with cloud providers for large, global corporate clients. "Of course, it is a good thing to make sure your contract with Google or with the cloud provider says so."

Gilbert says Google generally agrees to provisions limiting its use or access to data, clarifying what it will or will not do with the information. "For example," she says, "if a company negotiates a mail management application, Google would agree not to access the mails, not to review the mails, not to send an advertisement like this is the case on Gmail."

Google makes billions of dollars a year through advertisements found on the webpages of its various offerings, including its popular search engine. Sharing data among applications enables Google to offer more services for customers to use, which in turn, should attract more businesses to advertise, resulting in even more revenue. "We can provide more relevant ads, too," Alma Whitten, Google director of privacy, products and engineering, wrote in a blog posted Tuesday that unveiled the new privacy policy. Whitten explained how Google sees integrating data from different products would benefit customers: "We can provide reminders that you're going to be late for a meeting based on your location, your calendar and an understanding of what the traffic is like that day."

Google doesn't necessarily need to integrate products for its commercial customers to generate income from them because it charges fees for its services; for large organizations, those charges could total millions of dollars.

After Google announced its new privacy policy, some consumer advocates complained that nonpaying users cannot opt out if they don't like it. Their only option is to stop using Google products and services. "We remain committed to data liberation," Whitten wrote, "so if you want to take your information elsewhere you can."


About the Author

Eric Chabrow

Eric Chabrow

Host & Producer, ISMG Security Report; Executive Editor, GovInfoSecurity & InfoRiskToday

Chabrow hosts and produces the semi-weekly podcast ISMG Security Report and oversees ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.