European privacy watchdogs have announced Monday that they are to take action against Google by summer for its privacy policy, which is not in compliance with European privacy legislation.
The development is the latest chapter in the Google vs. EU privacy saga.
Doubts about combination of data across services
It all began in March 2012, when Google consolidated all its privacy policies into one uniform policy applicable across all Google services harvesting user data, including YouTube, Gmail, Google maps and Google+. Users cannot opt out of the policy.
As we already reported, prior to the implementation of the new privacy policy the internet giant was asked by European national data protection and privacy authorities to pause its EU implementation while the privacy watchdogs checked for possible consequences for Google’s European users.
Tasked with heading this investigation was the French data protection authority CNIL, with preliminary analysis indicating that the new privacy policy’s combination of personal data across services did not meet the requirements of the European Directive on Data protection.
However, the requested delay and all privacy concerns were rejected by Google, and the new privacy policy came into effect across the globe on 1 March 2012.
Four month deadline to change the privacy policy
In October 2012, CNIL announced that several months of investigation showed that Google’s policy allowed for the combination of “almost any data from any services for any purposes”, at the same time providing “insufficient information to its users on its personal data processing operations”.
“A Google service’s user is unable to determine which categories of personal data are processed for this service, and the exact purposes for which these data are processed,” added CNIL.
The findings confirmed the suspicion that the policy did not seem to be in line with EU legislation, and CNIL called on Google to modify its practices or else face litigation.
EU privacy watchdogs gave Google four months to change its approach and listed recommendations for it to bring its privacy policy into line, asking the company to improve data subjects’ information and clarify the combination of data across services, and provide precise retention periods for the personal data it processes.
Repressive action by summer
On Monday CNIL said that EU privacy watchdogs are now planning to take action against Google and its privacy policy by summer, as “Google did not provide any precise and effective answers to [the] recommendations” the four month deadline given.
Google, on the contrary, claims that it does respect European law, telling the BBC that the company has “engaged fully with the CNIL throughout this process, and [will] continue to do so going forward.”
For what it’s worth, European privacy watchdogs seem to be of a different opinion, stating that the EU data protection authorities are committed to act and continue their investigations, and that they will set up a working group, lead by the CNIL, in order to coordinate their repressive action which should take place before summer.
“We seem to be looking at a permanent conflict,” comments Aphaia’s Boštjan Makarovič.”Whereas EU data protection legislation is all about data subject consent, web giants are always trying to find new ways to combine and commercially exploit data, and these ways are unlikely to be covered by their previous policies, not to mention previous informed consent given by service users. The temptation just seems to be too big.”
Photo: Flickr/Robert Scoble
Read this article in Slovene