That report won the attention of U.S. lawmakers, who asked Google to explain what it was up to. The company did so in a letter that was made public Thursday. And what’s interesting is that Google admitted not only giving third-party developers access to Gmail accounts, but also allowing them to share what they find with other third parties.

“Developers may share data with third parties so long as they are transparent with the users about how they are using the data,” Google’s head of U.S. public policy, Susan Molinari, wrote in the letter, according to the Journal.

As Google (GOOGL) explained in a blog post following the initial story, the kinds of third-party services that it allows to plug into Gmail include email clients, trip planners and customer relationship management systems.

These services, which Google claims to thoroughly vet, typically read emails in an automated way, although humans do sometimes read them too. Users need to actively permit the apps to access their Gmail accounts, and they can revoke permission afterwards.

However, Google’s blog post did not talk about the possibility of those third-party services sharing users’ data with other third parties.

Marc Rotenberg, president of the Electronic Privacy Information Center, told the Journal there was “simply no way that Gmail users could imagine that their personal data would be transferred to third parties,” and the revelation showed that the “privacy policy model is simply broken beyond repair.”

Google had better hope that all the apps with such privileges are indeed properly informing users about passing data on to other third parties. In the European Union, the General Data Protection Regulation (GDPR) requires full disclosure on this front.