Google is facing a privacy policy probe in Europe. Last year Google consolidated more than 60 separate product privacy notices into one unified policy — combining the breadcrumbs of personal data left by users of different services so it could stockpile joined-up personal data as a strategy to rival Facebook’s walled garden. The move drew criticism from European privacy regulators – which last October called for Google to give users more control over their data.
The regulators stopped short of saying Google was acting illegally but published a list of privacy recommendations for Google, including suggesting the company should make it clearer to users how their personal information may be used, and how it is collected and collated from different services. The regulators also wanted Google to offer users an opt out. At the time, Google told TechCrunch it was reviewing the report, adding: “We are confident that our privacy notices respect European law.”
The 27 regulators, led by France’s CNIL, gave Google three to four months to make changes to its privacy policy — or face “more contentious” action. In a statement on its website today, the CNIL said that four months on from that report Google has failed to “to come into compliance” so will now face additional action.
“On 18 February, the European authorities find that Google does not give a precise answer and operational recommendations. Under these circumstances, they are determined to act and pursue their investigations,” the CNIL said in its statement (translated from French with Google translate).
According to the statement, the European regulators intend to set up a working group, led by CNIL, to “coordinate their enforcement action” against Google — with the working group due to be established before the summer. An action plan for tackling the issue was drawn up at a meeting of the regulators late last month, and will be “submitted for validation” later this month, they added.
Responding to the CNIL’s statement, Google emailed the following comment: “Our privacy policy respects European law and allows us to create simpler, more effective services. We have engaged fully with the CNIL throughout this process, and we’ll continue to do so going forward.”
Separately, the European Commission is in the process of reforming European privacy rules – with proposals to harmonize regulation across all member states, and strengthen independent national data protection authorities, including giving them the ability to fine companies up to €1 million ($1.27 million) or up to 2 percent of their global annual turnover. As part of this reform the EC is proposing European internet users should be able to exercise a right to be forgotten by requesting that companies delete any personal data held on them — so long as there are no legitimate grounds to retain it.
