CNIL imposes deadline for Google to make privacy policy changes as Spanish watchdog opens sanctions procedure

Out-Law News | 21 Jun 2013 | 5:18 pm | 2 min. read

Google has three months to make changes to its privacy policy or it could be issued with a fine, the French data protection authority (DPA) has said.

The Commission Nationale de l’information et des Liberties (CNIL) has served a "formal notice" on Google in a bid to make the company amend its privacy policy, which the authority previously said did not comply with EU data protection laws.

CNIL wants Google to define the "specified and explicit purposes" for which the personal data of users of its services will be processed and define how long it will retain personal data collected to ensure that it does not retain the data longer than is "necessary for the purposes for which they are collected".

Among the other measures CNIL has called on Google to undertake is a commitment not to combine users' data from across different services without having a legal basis for doing so. It has also called on Google to ensure they inform users that it could set cookies on their computers and obtain their explicit consent before doing so.

"This formal notice does not aim to substitute for Google to define the concrete measures to be implemented, but rather to make it reach compliance with the legal principles, without hindering either its business model or its innovation ability," CNIL said in a statement. "If Google does not comply with this formal notice at the end of the given time limit, CNIL’s Select Committee ... may issue a sanction against the company."

CNIL said that a number of other DPAs are also progressing their own investigations into Google's privacy policy.

The DPA in Spain has informed Google that the company will be subject to sanctions as a result of the company infringing Spanish data protection laws, CNIL said.

Johannes Caspar, Hamburg's Data Protection Commissioner, has also opened a formal procedure against Google over its privacy policy, CNIL said. The process may lead to the company being required by law to "implement measures in order to comply with German national data protection legislation".

The DPAs in the Netherlands and Italy are also both in the middle of processes that could eventually see Google sanctioned, CNIL added, whilst the Information Commissioner's Office in the UK is also progressing with its investigation and is due to write to Google shortly to communicate its "preliminary findings" into whether Google has acted in breach of the Data Protection Act.

CNIL had previously explained that it is up to individual DPAs to determine whether Google has breached national data protection laws within their jurisdiction.

Last March Google replaced over 60 existing privacy policies, covering services such as YouTube and Gmail, with one single all-encompassing policy covering the collection of personal data across all its services. The changes drew criticism from privacy campaigners and led EU privacy watchdogs represented in the Article 29 Working Party to appoint CNIL to assess the single policy's compliance with EU data protection laws.

CNIL asked Google to take action to account for its concerns, but reported earlier this year that the company had not done so to its satisfaction. As a result it said that regulatory action by EU DPAs was possible. In April CNIL announced that it, the ICO, and watchdogs in Germany, Italy, Spain and the Netherlands had formed a "taskforce" and agreed to pursue the possibility of separately levying penalties on Google for allegedly acting in breach of EU data protection laws.