Closed jwrosewell closed 1 year ago
We are committed to achieving the purpose of the Privacy Sandbox commitments accepted by the CMA in February 2022. We encourage feedback on how to better achieve that purpose through our technical proposals, and we will report publicly on feedback we receive as set out in the commitments. We are in constant dialogue with the CMA on these issues, and members of the web ecosystem are also welcome to discuss these issues with the CMA. In fact, as previously mentioned by the CMA in public and in its communications to Mr Rosewell, the CMA is the sole public body responsible for monitoring Google’s compliance with the commitments accepted on 11 February 2022 in relation to Google’s Privacy Sandbox proposals. We therefore hope that everyone will understand when we decline to participate in public discussions on legal or internal aspects of compliance with the commitments, or to detail our direct exchanges with the CMA.
The commitments Google entered with the CMA in February 2022 prevent Google from implementing Privacy Sandbox changes until the CMA are satisfied or February 2028.[1] The commitments define a role for third parties such as myself to express reasonable views and suggestions.[2] The commitments require Google to provide quarterly reports providing substantive responses.[3] The next report is due in January 2023.[4]
The commitments, Privacy Sandbox website, and chrome developers web site, direct third parties to forums such as this one. [5][6]
The views and suggestions raised are not related to internal aspects of compliance. They relate to the substance of the proposal and are clearly within scope of the commitments in relation to third parties.
Please reopen this issue and retract your misleading statement posted on Friday 9th December 2022.
It would be helpful to provide your substantive response in this forum as well as the January 2023 quarterly report so that all third parties can easily understand the response. Once any follow-on observations and viewpoints are addressed then the issue can be closed.
[2] “Google will publish on a dedicated microsite a process for stakeholder engagement in relation to the details of the design, development and implementation of the Privacy Sandbox proposals and report on that process publicly, as well as to the CMA through the quarterly reports described in paragraph 32(a) below. As part of that process, Google will take into consideration reasonable views and suggestions expressed to it by publishers, advertisers and ad tech providers, including (but not limited to) those expressed in the W3C or any other fora, in relation to the Privacy Sandbox proposals, including testing, in order to better apply the Development and Implementation Criteria in the design, development and implementation of the Privacy Sandbox proposals.” – Commitments clause 12 – emphasis added
[3] “Google will provide the CMA with quarterly reports within three Working Days of the end of each three-calendar-month period following the Effective Date about: progress on the Privacy Sandbox proposals; updated timing expectations; substantive explanations of how Google has taken into account observations made by the CMA and by third parties pursuant to paragraphs 12 and 17(c)(ii) of these Commitments; and a summary of the interactions between the CMA and Google pursuant to paragraphs 17 and 21 of these Commitments, including in particular a record of any concerns raised or comments made by the CMA and the approach retained for addressing such concerns or comments pursuant to paragraphs 17(a)(ii) and 21.” – Commitments clause 32(a) – emphasis added
[5] “For the open web, you can contribute to the public discussions in forums such as the W3C….” https://privacysandbox.com/#home-frequently-asked-questions
[6] “To participate in conversations with industry representatives, browser vendors and others—for example, to advocate for a particular use case or solution—you can join one or more of the W3C forums where privacy-preserving proposals are being shared and refined. Today most community discussion is happening in the Improving Web Advertising Business Group, the Privacy Community Group and the Web Platform Incubator Community Group.” https://developer.chrome.com/blog/privacy-sandbox-participate
Google will publicly disclose the timing of the key Privacy Sandbox proposals as set out in Annex 1. Google will also publicly update the information provided for in Annex 1 as timings change or become more certain. Such disclosures may be made in particular with the Blink Dev discussion group within the W3C, within any other fora and/or in a blog post, a dedicated microsite or equally prominently. Such disclosures will aim to enable publishers, advertisers and ad tech providers to influence the Privacy Sandbox and to adjust their business models, including by providing sufficient advance notice of the proposals an publishing key information. Google will use its best endeavours to ensure that blog posts and Privacy Sandbox microsite updates relating to origin trials for, the timing of, and any key changes to, the Privacy Sandbox proposals as set out in Annex 1 will contain an express reference to these Commitments and a brief explanation of the involvement of, and regulatory oversight provided by, the CMA in consultation with the ICO. Google will provide a single webpage from which all such disclosures can be accessed.”
Google will publish on a dedicated microsite a process for stakeholder engagement in relation to the details of the design, development and implementation of the Privacy Sandbox proposals and report on that process publicly, as well as to the CMA through the quarterly reports described in paragraph 32 ( a) below . As part of that process Google will take into consideration reasonable views and suggestions expressed to it by publishers, advertisers and ad tech providers, including ( but not limited to) those expressed in the W3C or any other for a , in relation to the Privacy Sandbox proposals, including testing, in order to better apply the Development and Implementation Criteria in the design development and implementation of the Privacy Sandbox proposals. “ (emphasis added)”
Nothing in the above is limited to technical proposals. The reference to the Development and Implementation Criteria are found in Paragraph 8 of the Commitments which implements the “Purpose of the Commitments” described in Paragraph 7. The purpose of the Commitments is explained further in the CMA Decision which can be found at: https://assets.publishing.service.gov.uk/media/62052c52e90e077f7881c975/Google_Sandbox_.pdf
To be relevant the comments made by others may well relate to their purpose. This is likely to raise issues of how alternatives will be competitively neutral and comply with applicable privacy law, given that the commitments were given as an aid to ensure alternatives to data transport and web features being blocked by Google’s Privacy Sandbox proposals are with the law, given the CMA has serious concerns about breach of the law.
The below statement from Mr Taylor could suggest that Google is aiming not to meet its obligation to take reasonable views into account when the statement is made that it will “not participate in public discussions.”
He states:
“We therefore hope that everyone will understand when we decline to participate in public discussions on legal or internal aspects of compliance with the commitments, or to detail our direct exchanges with the CMA.”
As we read its Commitments, Google is required to publish a “process for stakeholder engagement”. As part of that process it clearly needs to ensure that stakeholders are engaged – which suggest that it is itself engaged with stakeholders. Common usage of the word ‘engagement’ does not imply that Google can do nothing – engagement implies something is being “Done With” another party or person. The intensity of the engagement is left open.
These are Google’s Commitments. It might take the view that it can interpret them only very narrowly. A narrow reading would be one where it would de-emphasise the level of its engagement in the process and make an argument that it is not being required to respond. Or its responses will be provided privately, not publicly. Or that it will not discuss publicly any “non-legal or non-internal” aspects of its offerings.
Such an interpretation would be challenging to square with the obligation to create a “process for stakeholder engagement”.
On any interpretation, Google does have to listen. It has also clearly committed to take points made “into consideration”. As part of any process of engagement some degree of further interaction is clearly required, if only to check that points made have been received and understood correctly.
We would also suggest that nothing should stop Google from clarifying or challenging points it disagrees with, and it should feel free to engage in debate and discussion to ensure that stakeholders are fully engaged. After all, a process in which no stakeholders were participating would not amount to stakeholder engagement. Lack of response may encourage non-participation and disengagement. We would also be concerned if the absence of any response might be misinterpreted as a lack of participation, and engagement, contrary to Google’s obligations.
The goal is to get into the open why Google considers its proposals comply with competition law and privacy as defined in applicable data protection legislation (defined with reference to the GDPR in its Commitments). Given Google’s ad systems will continue to collect and process individuals activity for business purposes as they browse across the web Google should also explain why rivals cannot rely on identical privacy protections for their competing business facing data processing.
Given that latency is critically important to the serving and matching of ads for competing businesses, issues concerning latency are important to the competitive position of its offerings and whether they are comparable to current features and functions available over the web. Google’s Privacy Sandbox proposals involve the blocking or interference with current web offerings and will make a difference to competitors quality of service and users’ experiences.
Any method used by Google that increases latency could also force more businesses to pay for search traffic as their organic search results are impaired.
Google punishes sites in search rankings depending upon factors including impacts to latency. Latency thus cannot be dismissed as irrelevant to issues raised in the commitments as it affects both service to business and user experiences.
The second quarterly report from the CMA and Google under the commitments Google entered into with the CMA discusses latency.
CMA state:
Google state:
The third quarterly report indicates that no progress has been made.
What work have Google undertaken to mitigate the latency issues associated with the proposal? Will Google now place User-Agent Reduction on hold to provide time for stand-still period to come into effect and the CMA to complete their assessment?
The question relates to User-Agent Reduction only in part which has also been raised in the repository advised by Google here.
Please can Google (tagging @miketaylr, @cwilso, @yoavweiss) provide a substantive answer in the January 2023 quarterly report provided to the CMA and the industry under the commitments which I understand Google employees at W3C have now been trained in.