As promised in the beginning of this year, the French data protection authority has ordered Google to change its privacy policy in three months or else pay a fine of up to 300,000 €. Launching their own national investigations are several other EU Member States.
Questionable privacy policy
It all began in March 2012, when Google consolidated all its privacy policies into one uniform policy applicable across all Google services harvesting user data, including YouTube, Gmail, Google maps and Google+. Users cannot opt out of the policy.
As we reported in 2012, prior to the implementation of its new privacy policy the Internet giant was asked by European national data protection and privacy authorities to pause its EU implementation while the privacy watchdogs checked for possible consequences for Google’s European users. Heading this investigation into Google’s privacy policy was the French data protection authority CNIL.
The requested delay and all privacy concerns were rejected by Google, and the new privacy policy came into effect across the globe.
At the end of 2012 CNIL’s preliminary analysis showed that Google’s privacy policy did not seem to be in line with EU legislation, and CNIL called on Google to modify its practices or else face litigation.
As Google did not respond to the invitation in the deadline given, EU privacy watchdogs decided to take action against Google and its privacy policy by summer 2013.
EU-wide infringement procedures against Google
Yesterday CNIL made it known that Google’s privacy policy violated the French Data Protection Act by preventing individuals from knowing how their personal data may be used and from controlling such use.
CNIL gave the company three months to make necessary changes in the privacy policy or risk a fine of up to 150,000 € and a second of 300,000 € if it still failed to act.
The data protection authorities from Germany, Italy, the Netherlands, Spain and the United Kingdom have also launched enforcement actions against Google.
Specifically, Google must within three months:
Define specified and explicit purposes to allow users to understand practically the processing of their personal data;
Inform users by application of the provisions of Article 32 of the French Data Protection Act, in particular with regard to the purposes pursued by the controller of the processing implemented;
Define retention periods for the personal data processed that do not exceed the period necessary for the purposes for which they are collected;
Not proceed, without legal basis, with the potentially unlimited combination of users’ data;
Fairly collect and process passive users’ data, in particular with regard to data collected using the “Doubleclick” and “Analytics” cookies, “+1” buttons or any other Google service available on the visited page;
Inform users and then obtain their consent in particular before storing cookies in their terminal.
Read this article in Slovene