Out-Law / Your Daily Need-To-Know

Out-Law News 4 min. read

Google facing regulatory action in six EU countries over privacy policy issues

The UK's Information Commissioner's Office (ICO) and five other data protection authorities (DPAs) based across Europe may serve penalties on Google over alleged failings in the company's privacy policy.

The ICO and watchdogs in France, Germany, Italy, Spain and the Netherlands have together formed a "taskforce" and agreed to pursue the possibility of separately levying penalties on Google for allegedly acting in breach of EU data protection laws.

Last March Google replaced over 60 existing privacy policies, covering services such as YouTube and Gmail, with one single all-encompassing policy covering the collection of personal data across all its services. The changes drew criticism from privacy campaigners and led French DPA, the Commission Nationale de l'Information et des Liberties (CNIL), to conclude that the single policy was not compliant with EU data protection laws. CNIL assessed the policy on behalf of all of the EU's privacy watchdogs represented in the Article 29 Working Party.

Amongst its findings, detailed in October, CNIL said that Google does not have a "valid legal basis" to combine personal data it gathers about users from their use of more than one of its services for some purposes for which the information is collected. At the time CNIL president Isabelle Flaque-Pierrotin warned that Google could face a "phase of litigation" if it did not take action to implement the recommendations within "three or four months".

In February CNIL said that Google had failed to provide it with "precise and effective answers" to address the data protection concerns it had expressed months previously. As a result CNIL said that it would lead efforts by EU member states' data protection authorities to take coordinated "repressive action" against Google for not implementing the changes to its privacy policy that it was instructed to make.

Google has consistently defended its privacy policy changes and has claimed that its new single policy is in line with EU data protection laws.

However, CNIL has announced that coordinated action has now commenced. It said that Google has "not implemented any significant compliance measures" to address the concerns it had laid out in October.

"It is now up to each national data protection authority to carry out further investigations according to the provisions of its national law transposing European legislation," CNIL said in a statement. "Consequently, all the authorities composing the taskforce have launched actions on 2 April 2013 on the basis of the provisions laid down in their respective national legislation (investigations, inspections, etc.)"

"In particular, the CNIL notified Google of the initiation of an inspection procedure and that it had set up an international administrative cooperation procedure with its counterparts in the taskforce," it added.

The office of the Hamburg Commissioner for Data Privacy and Freedom of Information, Johannes Caspar, said that Google's new privacy policy allowed it to "evaluate extensively the data provided by users in a manner that can make a significant contribution to the creation of profiles of those affected". As a result of "vague guidelines" the company has set out, "it is completely impossible for the user to foresee the scope and content of his consent to the processing of his data," the watchdog added.

German data protection law expert Stephan Appt of Pinsent Masons, the law firm behind Out-Law.com, said that the Hamburg DPA has not "extensively levied fines in the past", but that it had the power to do so.

"The Hamburg DPA tends to concentrate on fostering a public awareness of data protection issues by making its concerns public," Appt said. "Google and Caspar have discussed data protection issues extensively in the past. Previously he questioned Google Analytics' compliance with data protection requirements. This is due to the fact that German DPA's consider IP addresses to constitute personal data, which in consequence would trigger a need for users' consent to be given prior to the commencement of any analytic processes in the US."

"After respective negotiations with Google failed Caspar threatened to go after the users of Google analytics and respective notices were sent to companies using Google Analytics. Caspar also unveiled Google's recent Street View data breach where Google collected private information wirelessly including emails and text messages," he added.

"We expect that Google's privacy policy and processing of user data in general will now be subject to scrutiny by Caspar's authority, including a hearing as a first step. To date it is hard to tell what a potential fine might amount to. The coordinated approach of the task force on EU level may also influence the approach the authorities will take in this respect," Appt said.

"The German Act on telemedia allows for a fine of up to €50,000 for insufficient information about data processing in online privacy policies, which appears to be one of the allegations in the current case, whereas in case it can be established that Google's data processing is generally in breach with German data protection law the German Data Protection Act theoretically allows for a fine of up to €300,000 or even higher if the breach confers a benefit for Google exceeding that amount," the expert said.

The UK's ICO has the powers to fine organisations up to £500,000 if they deem they have been guilty of a serious breach of the Data Protection Act.

Appt added that the way the various DPAs had coordinated their efforts across the EU had given an insight into how they would work together if proposals contained in the European Commission's draft General Data Protection Regulation are introduced.

"The concept of a lead data protection authority with coordinated help from other data protection authorities will play a more important role in the future," Appt said. "We have seen this approach with the 16 different data protection authorities in Germany and believe that indeed there is a purposefully aim to foster coordinated approaches throughout Europe."

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.