Google Clashes With French Privacy Regulators

France’s CNIL has said the search giant is being uncooperative with investigators in a privacy probe

Google officials once again are being accused by regulators of being less than cooperative in investigations into privacy issues concerning the company.

This time, the complaints are coming from France’s CNIL (Commission Nationale de l’Informatique et des Libertés), which is taking the lead in an EU investigation into Google’s new privacy policy. The CNIL said Google gave “incomplete” and “approximate” answers to a questionnaire sent to it in March.

Privacy concerns

In a statement released on 23 May, the CNIL said it had sent Google a questionnaire about the new privacy policy in March, and that the company sent back its answers in April.

“The CNIL welcomes Google’s collaboration but regrets that the answers are often incomplete or approximate,” the organisation said.

The CNIL sent another questionnaire to Google on 22 May in hopes of clarifying some questions, and met with Google representatives on 23 May. It has given Google until 8 June to answer the new questions.

European regulators are concerned about the privacy policy changes that Google announced in January and put into effect on 1 March. Essentially, Google did away with privacy rules for individual products like search, YouTube and Google Maps, and instead put in an umbrella policy that covered all 60 or so Google web services.

At the same time, Google also moved to bring in user information from all the services, creating large single-user profiles.

Google officials said the move would improve the quality of service. Critics disagreed, saying it was the latest step by Google to create better digital profiles of users in hopes of boosting its online ad business.

The European Union had asked Google to delay implementing the new policy until the questions raised by the CNIL had been answered. Google officials declined, stating that they were confident the policy adequately protected the privacy and rights of European citizens.

More information

In a statement on 1 March, EU Justice Commissioner Viviane Reding said that it was “unfortunate that Google has gone ahead with the new policy before addressing the French data protection authority’s concerns. All companies that offer services to European consumers must provide their customers with clear information about their privacy policy. In Europe, consumers must be able to make informed decisions about using Internet-based services.”

Now the CNIL is pushing Google executives to be more forthcoming in their answers. Given the current information, “the CNIL considers it impossible to know Google’s processing of personal data, as well as the links between collected data, purposes and recipients, and that the obligation of information of the data subjects is not respected. The CNIL also notes that Google has not provided a maximum retention period for the data.”

CNIL officials said they are still concerned about the purpose and legality of Google’s combining of personal data across services, and whether the opt-out procedures in place are a valid means for users to oppose Google’s efforts.

“Finally, Google has not provided a practical answer on the way the ePrivacy Directive is applied for Google’s ‘passive users’, i.e., the persons who use Google’s services [advertising, analytics, +1 button] when they visit third-party websites,” CNIL officials said.

Once the organisation has Google’s new answers, it will present a report to the EU’s Article 29 Working Party, which will decide how Google can bring the new policy into compliance. Google will get the determination by mid-July, the CNIL said.

FCC fine

The CNIL’s letter about Google and its privacy policy comes less than a month after issues surrounding the search vendor’s controversial Street View programme flared up again in the United States. The Federal Communications Commission (FCC) on 13 April fined Google $25,000 (£16,000) for intentionally obstructing an investigation into the company’s collecting of personal data from Wi-Fi networks while conducting its Street View project between 2007 and 2010.

The FCC said in its report that it could not find any evidence of legal wrongdoing on the part of Google, in part because the company “deliberately impeded and delayed” the commission’s investigation by refusing to provide information and documents requested as part of the investigation. In addition, an unnamed Google engineer who created the software that collected the Wi-Fi data did not testify at a deposition, instead invoking his constitutional right against self-incrimination.

Google executives disputed the FCC’s claim, saying they “provided all the materials the regulators felt they needed to conclude their investigation, and we were not found to have violated any laws”.

Google had claimed the collection of the personal Wi-Fi data – including passwords, emails and search histories – was the work of a rogue engineer. But soon after the FCC fine, it was learned that the engineer, Marius Milner, had told at least two other Google employees that such “payload data” was being collected.

The revelation renewed calls by privacy advocates and some politicians in both the United States and Europe to reopen the investigations into Google’s Street View programme.

How much do you know about smartphones? Take our quiz.