EU privacy watchdogs to take coordinated action against Google before summer over privacy policy concerns

Out-Law News | 19 Feb 2013 | 2:59 pm | 2 min. read

UPDATED: Google has failed to provide EU privacy watchdogs with "precise and effective answers" to address their concerns over the company's privacy policy and faces regulatory action as a result, the French data protection authority has said.

The Commission Nationale de l'Information et des Liberties (CNIL) said that it will lead efforts by EU member states' data protection authorities to take coordinated "repressive action" against Google for not implementing changes to its privacy policy which it was instructed to make.

A spokesman for Google told that the company had responded to CNIL’s letter to it in October on 8 January. The response outlined that Google had taken a number of steps to address the watchdog’s concerns, he said. Google has also offered to meet CNIL and discuss their concerns and also to speak at a meeting of the Article 29 Working Party later this month but has yet to receive a response to its offers, the spokesman added.

“Our privacy policy respects European law and allows us to create simpler, more effective services,” the spokesman said in a statement. “We have engaged fully with the CNIL throughout this process, and we’ll continue to do so going forward.”

Last March Google replaced over 60 existing privacy policies, covering services such as YouTube and Gmail, with one single all-encompassing policy covering the collection of personal data across all its services. The changes drew criticism from privacy campaigners and led CNIL to conclude that the single policy was not compliant with EU data protection laws. CNIL assessed the policy on behalf of all of the EU's privacy watchdogs represented in the Article 29 Working Party.

Amongst its findings, detailed in October, CNIL said that Google does not have a "valid legal basis" to combine personal data it gathers about users from their use of more than one of its services for some purposes for which the information is collected.

At the time CNIL president Isabelle Flaque-Pierrotin warned that Google could face a "phase of litigation" if it did not take action to implement the recommendations within "three or four months", according to a report by the Daily Telegraph.

CNIL wrote to Google outlining its concerns, but the watchdog has now said that the issues it raised have not been satisfactorily resolved.

"The authorities recommended to Google to improve data subjects' information and clarify the combination of data across Google's services," CNIL said in a statement. "Lastly, they asked Google to provide precise retention periods for the personal data it processes. After a 4 months deadline that was granted to Google in order to comply with the European data protection regulation and to implement effectively G29's recommendations, no answer has been given."

"On February 18, European data protection authorities have noted that Google did not provide any precise and effective answers to their recommendations. In this context, the EU data protection authorities are committed to act and continue their investigations. Therefore, they propose to set up a working group, lead by the CNIL, in order to coordinate their repressive action which should take place before summer," it added.

CNIL said that the "action plan" is expected to be formally approved at a meeting of the Article 29 Working Party on 26 February.

Editor's note 19/2/13: This story has been updated to include the information and statement received from Google.