Since March, Google has been accumulating data from across its sites to potentially better target adverts – which regulators perceive as “high risk” to people’s privacy.
The new policy was implemented after the company combined 60 separate privacy policies into one agreement. But, in October, the regulators fired a shot across Google’s bow, informing the search giant that it needed to address their concerns or face legal action in 2013.
As a result, France’s CNIL (Commission nationale de l’informatique et des libertés) – which is representing the European Commission’s Article 29 Working Party – said today that the internet giant had not yet made the changes demanded by the regulators. “Google did not provide any precise and effective answers,” CNIL said on Monday.
Poised for their next action, now European privacy regulators are firmly preparing to act, according to Reuters. The regulators’ next step-setting up a new working group to coordinate the responses of privacy regulators in the EU’s 27 member countries-is not likely to strike fear in Larry Page’s heart. But the regulators say they expect to take coordinated enforcement action against Google by this summer.
“In this context, the EU data protection authorities are committed to act and continue their investigations. Therefore, they propose to set up a working group, led by the CNIL, in order to coordinate their reaction, which should take place before summer.”
As a matter of fact, the dispute mainly focuses on Google’s decision to share data more liberally among its own products. Previously, Google had dozens of different privacy policies for its various products, and these policies often prevented the search giant from aggregating data gathered in different products. Last year, Google replaced all these separate policies with a single, company-wide policy. It touted the new policy as easier for users to understand, and it argued that more data sharing would allow the company to more effectively customize its products to the needs of each user.
However, according to EU regulators, the Web giant was not in compliance with European law, the group suggested that Google should strengthen the consent sought for combining data for the purposes of service improvement and advertising; provide a centralized opt-out solution; and adapt the combination rules to distinguish between security and advertising. Google was also warned about not clarifying how long it stores user data.
All in all, 12 recommendations were defined in a letter signed by 24 of the EU’s 27 data regulators, following a nine-month investigation into Google’s data collection practices.
Among the proposed changes were the following:
Nevertheless, the change raised the ire of some privacy advocates. They worried that liberal sharing among Google applications would undermine users’ privacy. Google, they thought, might take information it collected for one purpose and use it for other purposes that users might not expect or appreciate. And regulators in Europe, who often follow a much stricter regime of privacy regulations, seem to share these advocates’ concerns.