Google Breaks Our Privacy Laws, Says Dutch Watchdog

The Dutch privacy watchdog has ruled that the search engine giant does indeed violate the Dutch data protection act, after a seven month investigation.

The Data Protection Authority (DPA) of the Netherlands has ruled that Google’s practice of combining personal data from different services, introduced with its new privacy policy on 1 March 2012, is in breach of the Dutch data protection act, in its official ruling on the matter.

Google doesn’t ask

“Google combines the personal data from internet users that are collected by all kinds of different Google services, without adequately informing the users in advance and without asking for their consent,” said the DPA. “The investigation shows that Google does not properly inform users which personal data the company collects and combines, and for what purposes.”

“Google spins an invisible web of our personal data, without our consent. And that is forbidden by law”, said the chairman of the Dutch data protection authority, Jacob Kohnstamm.

The Dutch DPA has now invited Google to attend a hearing, after which the authority will decide whether it will take enforcement measures, including possible fines.

According to the DPA, with its services (search, Youtube, Gmail etc), Google reaches almost every person in the Netherlands with internet access, and it feels that it is almost impossible not to use Google services on the Internet.

Cookie Collection

The DPA’s report identified three types of users of Google services. The first group is made up of people with a Google account. The second group of people are those without a Google account but which use the open services of Google such as Search and YouTube. The third and final group is those people who do not use Google. According to the DPA, Google also collects data about this last group of users when they visit one of the more than 2 million websites worldwide with Google advertising cookies.

The DPA’s investigation apparently revealed that Google combines personal data relating to internet users which it obtains from different services. Google does this in order to display personalised ads and to personalise services such as YouTube and Search. The DPA argues that some of this collected data is of a sensitive nature, “such as payment information, location data and information on surfing behaviour across multiple websites.”

“Google does not adequately inform users about the combining of their personal data from all these different services,” said the DPA. “On top of that, Google does not offer users any (prior) options to consent to or reject the examined data processing activities.”

Google Response

But Google has denied the Dutch authority’s findings, saying it provided users of its services with sufficiently specific information about the way it processed their personal data.

“Our privacy policy respects European law and allows us to create simpler, more effective services. We have engaged fully with the Dutch DPA throughout this process and will continue to do so going forward,” Reuters quoted Google as saying in a statement.

The Dutch ruling comes amid similar investigations by other European watchdogs. In September the French watchdog CNIL told Google it has started a formal procedure for punishing the company over its privacy policy, after repeated failures to make changes to it. And one month later it, CNIL, speaking on behalf of other European watchdogs, ordered an “upgrade” to the Google privacy policy.

The UK’s Information Commissioner’s Office (ICO) meanwhile has told Google it wanted the privacy policy changed to make it “more informative for individual service users”.

Are you a pedant on privacy? Try our quiz!