ICO and others initiate action after French regulator says Google is not complying
When Google rolled all of its different services’ privacy policies into one document, it caused uproar. Many raised concerns about their data being shared between various Google divisions without their approval.
Shortly after the change, EU justice commissioner Viviane Reding suggested what Google was doing was illegal. CNIL, the French privacy watchdog, subsequently opened an investigation on behalf of other European regulators, including those in the UK, Germany, the Netherlands, Italy and Spain. It hoped Google would make a number of alterations to its policy, to ensure EU law was not being broken.
After a warning in February, however, and a meeting on 19 March, CNIL claimed today Google had not been forthcoming in making changes as asked, so it has now ordered all regulators who are part of the EU Article 29 Working Party to investigate the issue and decide on what punishment, if any, is necessary.
“It is now up to each national data protection authority to carry out further investigations according to the provisions of its national law transposing European legislation,” CNIL said in its statement.
“Consequently, all the authorities composing the taskforce have launched actions on 2 April 2013 on the basis of the provisions laid down in their respective national legislation.” CNIL noted it was organising an “inspection” and had notified Google.
The ICO is soon to make a final decision on a probe into another of Google’s privacy problems – the Street-View data slurping saga, when the company was found to have collected people’s unencrypted data during its mapping projects.
Reding welcomed the move of the regulators. “It is good to see that six national data protection authorities are teaming up to enforce Europe’s common data protection rules,” she said. “Data protection authorities speak louder with one voice than with 27. Such concerted actions need to evolve from the exception to the rule – that’s exactly what the EU data protection reform will make sure of.”
During the RSA Conference earlier this year, Google was more forthcoming on its problems with EU bodies. Senior corporate counsel for privacy, Keith Enright, told TechWeek CNIL had failed to answer Google questions asking for clarification on what the regulator wanted. He said CNIL had also not accepted Google’s offers to meet and discuss matters further.
Yesterday saw the departure of Google’s privacy director Alma Whitten. There was no indication the CNIL action and Whitten’s departure were linked.
But she did oversee two and a half years of intense scrutiny over Google privacy practices, which resulted in various fines and payouts. They included a €100,000 penalty in France, a $25,000 fine in the US and another $7 million settlement, all related to the Street View data slurping.
In late 2010, the firm paid $8.5 million to settle a lawsuit which claimed the Google Buzz social networking service violated privacy after contact details were shared without user permission.
In August of last year, Google was fined $22.5 million by the Federal Trade Commission, after it was alleged the company wrote code to bypass Safari privacy settings that blocked user tracking cookies by default.
“Just because Google is a big business does not put it above the law. The company has ignored the authorities and refused to make any meaningful changes to how it collects and uses people’s data.”
Are you a pedant on privacy? Try our quiz!