EU Watchdogs Order Google Privacy ‘Upgrade’

The French privacy regulator, CNIL, speaking on behalf of other European watchdogs, has ordered an “upgrade” to the Google privacy policy, but stopped short of demanding Google completely unravel a controversial update in which data is shared between multiple products.

CNIL has been leading a pan-European probe into Google’s privacy practices and said that the search giant has three or four months to mend its ways and give users clearer information and better control over the ways their data is shared, or else it could face fines.

Google privacy sanctions

If Google does not respond with action, the matter will move to a “sanctions phase”, said Isabelle Falque-Pierrotin, head of , CNIL (France’s National Commission for Computing and Civil Liberties) at a press conference in Paris today.

CNIL has the power to impose fines, but they could also come from “competent authorities,” in other states said Falque-Pierrotin.  In March, the UK Information Commissioner’s Office (ICO) said it would follow EU regulators on any potential punishment.

On behalf of the EU’s data protection authorities, CNIL is asking  Google  “to provide clearer and more comprehensive information” about what it is doing with collected personal data. For instance, it wants three levels of detail at which users can choose what data is shared.

It also wants Google to provide user control over what data is shared between its “numerous” services. With 60 products falling under the Google policy, data is currently being shared pretty widely, and the companyhas been criticised for offering only one single opt-out.

Some details were given in a CNIL press release which also points out that the Google privacy policy covers an awful lot of different types of data, so users may approve the sharing of one sort of data and find they have shared more than they thought:  “The Privacy Policy makes no difference in terms of processing between the innocuous content of search query and the credit card number or the telephone communications of the user ; all these data can be used equally for all the purposes in the Policy.”

CNIL also says that Google is re-using information from people who don’t have Google accounts, without giving them information about what is being done:  “Passive users (i.e. those that interact with some of Google’s services like advertising or ‘+1′ buttons on third-party websites) have no information at all.

In response, Google disagreed with the CNIL’s findings, claiming its privacy notices are within the European law – but it would look into the matter.

“We have received the report and are reviewing it now,” said Peter Fleischer, Google’s global privacy counsel. “Our new privacy policy demonstrates our long-standing commitment to protecting our users’ information and creating great products. We are confident that our privacy notices respect European law.”

Privacy organisations have welcomed the move: “”It’s good to see European data protection authorities take action so that users gain control of their data,” said JIm Killock, executive director of the Open Rights Group. “”This must be backed by strong new data protection powers, for fines based on turnover, and rights to retrieve and to delete your data.”

Long-standing issues

The issue has been brewing since February, when the Article 29 Working Party – a group comprising regulators from from  the EU’s 27 member states – asked for a “pause” in the introduction of the single Google privacy policy, and put CNIL in charge of the European investigation. In the US, eight senators wrote to Google CEO Larry Page, expressing the same concerns.

Google has defended the policy, saying it is designed to make options simpler to understand, while giving the company the opportunity to use customer data to build better services – and target advertisements better. On 1 March, despite the warnings, Google went ahead with introduction of the single privacy policy and was sharply criticised by EU Justice Commissioner Viviane Reding.

“This [EU] decision may restrict Google’s ability to fully monetise its users’ personal data across its platforms and may cost Google tens of millions of dollars in lost revenue,” US lawyer Bradley Shears told the Guardian.

Meanwhile, a separate EU investigation is looking at whether Google is using its dominant position in the search engine market to harm the competition. European Commission staff are currently looking at Google’s proposals in four areas of concern. If these proposals don’t satisfy the EC, the company could be fined up to ten percent of its worldwide revenues – which for 2011 amounts to €2.9bn (£2.3bn).

CNIL and the ICO have yet to make any further comments.

Are you a Google expert? Take our quiz!