UK And EU Watchdogs Launch Probes Into Google Privacy Policy

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

ICO and others initiate action after French regulator says Google is not complying

Google is facing the wrath of regulators in six different nations, following an initial probe into the company’s much-discussed privacy policy changes of 2012.

When Google rolled all of its different services’ privacy policies into one document, it caused uproar. Many raised concerns about their data being shared between various Google divisions without their approval.

Shortly after the change, EU justice commissioner Viviane Reding suggested what Google was doing was illegal. CNIL, the French privacy watchdog, subsequently opened an investigation on behalf of other European regulators, including those in the UK, Germany, the Netherlands, Italy and Spain. It hoped Google would make a number of alterations to its policy, to ensure EU law was not being broken.

google-london-officeGoogle vs. EU regulators

After a warning in February, however, and a meeting on 19 March, CNIL claimed today Google had not been forthcoming in making changes as asked, so it has now ordered all regulators who are part of the EU Article 29 Working Party to investigate the issue and decide on what punishment, if any, is necessary.

“It is now up to each national data protection authority to carry out further investigations according to the provisions of its national law transposing European legislation,” CNIL said in its statement.

“Consequently, all the authorities composing the taskforce have launched actions on 2 April 2013 on the basis of the provisions laid down in their respective national legislation.” CNIL noted it was organising an “inspection” and had notified Google.

The UK regulator, the Information Commissioner’s Office, said it had opened an investigation “into whether Google’s revised March 2012 privacy policy is compliant with the Data Protection Act”. “As this is an ongoing investigation it would not be appropriate to comment further,” an ICO spokesperson said, in an emailed statement.

The ICO is soon to make a final decision on a probe into another of Google’s privacy problems – the Street-View data slurping saga, when the company was found to have collected people’s unencrypted data during its mapping projects.

Reding welcomed the move of the regulators. “It is good to see that six national data protection authorities are teaming up to enforce Europe’s common data protection rules,” she said. “Data protection authorities speak louder with one voice than with 27. Such concerted actions need to evolve from the exception to the rule – that’s exactly what the EU data protection reform will make sure of.”

“Our privacy policy respects European law and allows us to create simpler, more effective services. We have engaged fully with the data protection authorities involved throughout this process, and we’ll continue to do so going forward,” a Google spokesperson said, in an emailed statement.

During the RSA Conference earlier this year, Google was more forthcoming on its problems with EU bodies. Senior corporate counsel for privacy, Keith Enright, told TechWeek CNIL had failed to answer Google questions asking for clarification on what the regulator wanted. He said CNIL had also not accepted Google’s offers to meet and discuss matters further.

“We continue to offer to meet in person with CNIL and to engage with them to resolve their questions over our privacy policy,” he said at the time.

Yesterday saw the departure of Google’s privacy director Alma Whitten. There was no indication the CNIL action and Whitten’s departure were linked.

But she did oversee two and a half years of intense scrutiny over Google privacy practices, which resulted in various fines and payouts. They included a €100,000 penalty in France, a $25,000 fine in the US and another $7 million settlement, all related to the Street View data slurping.

In late 2010, the firm paid $8.5 million to settle a lawsuit which claimed the Google Buzz social networking service violated privacy after contact details were shared without user permission.

In August of last year, Google was fined  $22.5 million by the Federal Trade Commission, after it was alleged the company wrote code to bypass Safari privacy settings that blocked user tracking cookies by default.

“Google has repeatedly put profit ahead of user privacy and the way that the company ignored concerns from regulators around the world when it changed its privacy policy showed just how little regard it has for the law,” said Nick Pickles, director of the Big Brother Watch.

“Just because Google is a big business does not put it above the law. The company has ignored the authorities and refused to make any meaningful changes to how it collects and uses people’s data.”

Are you a pedant on privacy? Try our quiz!