ICO sets Google deadline for data protection compliance over privacy policy concerns

Out-Law News | 05 Jul 2013 | 11:06 am | 2 min. read

The UK's data protection watchdog has set Google a deadline for altering its privacy policy after raising "serious concerns" about its compliance with the Data Protection Act.

Google has until 20 September to alter its privacy policy. The ICO said that it has written to Google and warned the company that it could take "formal enforcement action" against it if it fails to act.

"In our letter we confirm that its updated privacy policy raises serious questions about its compliance with the UK Data Protection Act," an ICO spokesperson said in a statement. "In particular, we believe that the updated policy does not provide sufficient information to enable UK users of Google’s services to understand how their data will be used across all of the company’s products.

"Google must now amend their privacy policy to make it more informative for individual service users. Failure to take the necessary action to improve the policies compliance with the Data Protection Act by 20 September will leave the company open to the possibility of formal enforcement action," the spokesperson said.

The ICO can serve organisations with a monetary penalty of up to £500,000 if it deems them to be guilty of a serious breach of the Data Protection Act.

The ICO is one of a number of EU data protection authorities (DPAs) that have been closely scrutinising Google's privacy policy.

Last March Google replaced over 60 existing privacy policies, covering services such as YouTube and Gmail, with one single all-encompassing policy covering the collection of personal data across all its services. The changes drew criticism from privacy campaigners and led EU privacy watchdogs, including the ICO, represented in the Article 29 Working Party to appoint French DPA the Commission Nationale de l’information et des Liberties (CNIL) to assess the single policy's compliance with EU data protection laws.

CNIL concluded that Google's privacy policy did not comply with the EU Data Protection Directive and asked Google to take action to account for its concerns. However, the authority reported earlier this year that Google had not done so to its satisfaction. As a result CNIL said that regulatory action by EU DPAs was possible.

In April CNIL announced that it, the ICO, and watchdogs in Germany, Italy, Spain and the Netherlands had formed a "taskforce" and agreed to pursue the possibility of separately levying penalties on Google for allegedly acting in breach of EU data protection laws.

Last month CNIL set Google a three month deadline for making alterations to its privacy policy to make it compliant with French data protection rules. At the time it announced that the Spanish DPA, the AEPD, had informed Google that the company was subject to sanctions as a result of the company infringing Spanish data protection laws.

The DPAs in the Netherlands and Italy are also both in the middle of processes that could eventually see Google sanctioned, whilst Hamburg's Data Protection Commissioner has also initiated an administrative action against the company and said that it will decide whether to further pursue enforcement options based on what Google has to say in a hearing.

Google has consistently argued that its single privacy policy complies with EU data protection rules.