EUROPEAN DATA protection watchdogs have given Google four months to comply with requests to alter its privacy policy, or risk being fined. France’s Commission Nationale de l’Informatique, which was working on behalf of the EU’s 27 national data regulators, said yesterday it had found legal flaws with Google’s new approach to user data.
Among the French watchdog’s concerns was the way the US group combines anonymous data from users’ browsing histories across its services to better target advertising.
The tech firm adopted a new privacy policy earlier this year, consolidating 60 privacy policies into one, bringing together the data collected from across its services, including Google search, social network Google Plus and video site YouTube, and pooling it.
Prior to the new policy, this data – which includes users’ web and map searches, along with browsing history while they are signed in to the site – had been separate. Users were also not given the ability to opt out if they wanted to use the full range of Google’s products.
The tech firm had been warned months earlier that the policy may breach EU data rules, sparking the months-long investigation.
National regulators have issued 12 recommendations for Google to bring its privacy policy into line, including better informing users on how data will be used, and setting precise periods for data to be retained.
Google global privacy counsel Peter Fleischer said the company would examine the results of the investigation, adding it remained confident its privacy policy respected EU law.
CNIL president Isabelle Falque-Pierrotin said regulators were prepared to talk to Google, adding: “If Google does not conform in the allotted time, we will enter into the disciplinary phase”.
Google can either negotiate with the regulators and change elements of its privacy policy or challenge their authority to impose changes in court. The data protection watchdogs that examined the privacy policy cannot rule on the legality of Google’s approach since they are not a court of law.
Some national data protection regulators including those in Belgium, France and the Netherlands have, in the past, imposed fines on companies that have breached rules. Such sanctions cannot be imposed EU-wide.
When Google was found to have broken data protection rules after its Street View cars collected unauthorised data on public wifi networks in 2010, it faced dozens of separate cases.
In that instance, Google was fined €100,000 by the French watchdog and the Netherlands threatened a €1 million fine if it did not change its policy.
Chris Watson, a lawyer at CMS Cameron McKenna LLP, said: “How the case turns out will be an important test case of Europe’s (EU) ability to enforce its point of view on online privacy.”
– (Additional reporting: Reuters)