EU Regulators “Plan To Take Action” Against Google Privacy Policy

When it comes to the issue of privacy, it seems that Google and Europe are on opposite sides of an ocean, metaphorically speaking. Reuters reports this morning that frustrated European authorities “plan to take action” against Google for its failure to satisfy them regarding its consolidated privacy policy.

Google has maintained that its privacy policy conforms to all European laws and regulations. Privacy regulators from France and across Europe have heavily criticized the “consolidated” Google privacy policy and say it overreaches. However, they’ve stopped short of declaring it “illegal.”

In March 2012, Google combined its many and varied privacy policies into one. Google argued this change benefitted users by distilling a complicated and potentially contradictory array of policies into a simplified approach that was easier to understand. It also allowed Google to use data across its network for any purpose, including ad targeting or product development.

The Europeans, and specifically France’s National Commission for Computing and Civil Liberties (CNIL), focused on that pooling or aggregation of user data under the new policy and asked Google a series of questions about how data would be used by the company and whether users were notified accordingly.

In a letter issued last October, CNIL, on behalf of European data protection authorities, laid out a number of concerns to Google CEO Larry Page. Among them, CNIL said Google had failed, during the investigation, to address key questions regarding data usage and user consent:

Google’s answers have not demonstrated that your company endorses the key data protection principles of purpose limitation, data quality, data minimization, proportionality and right to object. Indeed, the Privacy policy suggests the absence of any limit concerning the scope of the collection and the potential uses of the personal data . . . 

Additionally, the investigation unveiled several legal issues with the new privacy policy and the combination of data. Firstly, the investigation showed that Google provides insufficient information to its users (including passive users), especially on the purposes and the categories of data being processed . . .

Secondly, the investigation confirmed our concerns about the combination of data across services. The new Privacy Policy allows Google to combine almost any data from any services for any purposes. Combination of data, like any other processing of personal data, requires an appropriate legal ground and should not be incompatible with the purpose for which these data were collected. For some of the purposes related to the combination of data and which are further elaborated in the appendix, Google does not collect the unambiguous consent of the user . . . 

Google was given roughly four months to adopt or address CNIL’s recommendations. According to CNIL Google has declined to do so, holding to its position that its privacy policy respects European law. Google says, however, it has taken steps to address Europe’s concerns.

Reuters quotes European authorities who characterize Google’s policy as “high risk” (for individuals). The Reuters article adds that the various European privacy regulators have established a “working group” and will offer a coordinated response by this summer.

What that “response” or “action” might be is unclear, although fines are one possibility.

Below is the text of CNIL’s letter to Google CEO Larry Page from October, 2012.

About The Author

Greg Sterling

Greg Sterling is a Contributing Editor at Search Engine Land. He writes a personal blog, Screenwerk, about connecting the dots between digital media and real-world consumer behavior. He is also VP of Strategy and Insights for the Local Search Association. Follow him on Twitter or find him at Google+.