France – When Google instituted a new privacy policy early last year, European regulators instantly warned that it was likely illegal under European law. Now, in a fresh legal fracas, global web search giant is under pressure EU watchdogs plan to take action against Google by this summer over the web giant’s current privacy policy, French privacy regulator CNIL has said.
Since March, Google has been accumulating data from across its sites to potentially better target adverts – which regulators perceive as “high risk” to people’s privacy.
The new policy was implemented after the company combined 60 separate privacy policies into one agreement. But, in October, the regulators fired a shot across Google’s bow, informing the search giant that it needed to address their concerns or face legal action in 2013.
Google claims that its privacy policy did comply with EU law.
“Our privacy policy respects European law and allows us to create simpler, more effective services,” Google said in a statement. “We have engaged fully with the CNIL throughout this process, and we will continue to do so going forward.”
As a result, France’s CNIL (Commission nationale de l’informatique et des libertés) – which is representing the European Commission’s Article 29 Working Party – said today that the internet giant had not yet made the changes demanded by the regulators. “Google did not provide any precise and effective answers,” CNIL said on Monday.
Poised for their next action, now European privacy regulators are firmly preparing to act, according to Reuters. The regulators’ next step-setting up a new working group to coordinate the responses of privacy regulators in the EU’s 27 member countries-is not likely to strike fear in Larry Page’s heart. But the regulators say they expect to take coordinated enforcement action against Google by this summer.
“In this context, the EU data protection authorities are committed to act and continue their investigations. Therefore, they propose to set up a working group, led by the CNIL, in order to coordinate their reaction, which should take place before summer.”
As a matter of fact, the dispute mainly focuses on Google’s decision to share data more liberally among its own products. Previously, Google had dozens of different privacy policies for its various products, and these policies often prevented the search giant from aggregating data gathered in different products. Last year, Google replaced all these separate policies with a single, company-wide policy. It touted the new policy as easier for users to understand, and it argued that more data sharing would allow the company to more effectively customize its products to the needs of each user.
However, according to EU regulators, the Web giant was not in compliance with European law, the group suggested that Google should strengthen the consent sought for combining data for the purposes of service improvement and advertising; provide a centralized opt-out solution; and adapt the combination rules to distinguish between security and advertising. Google was also warned about not clarifying how long it stores user data.
All in all, 12 recommendations were defined in a letter signed by 24 of the EU’s 27 data regulators, following a nine-month investigation into Google’s data collection practices.
Among the proposed changes were the following:
- Google must “reinforce users’ consent”. It suggests this could be done by allowing its members to choose under what circumstances data about them was combined by asking them to click on dedicated buttons.
- The firm should offer a centralized opt-out tool and allow users to decide which of Google’s services provided data about them.
- Google should adapt its own tools so that it could limit data use to authorized purposes. For example, it should be able to use a person’s collated data to improve security efforts but not to target advertising.
Nevertheless, the change raised the ire of some privacy advocates. They worried that liberal sharing among Google applications would undermine users’ privacy. Google, they thought, might take information it collected for one purpose and use it for other purposes that users might not expect or appreciate. And regulators in Europe, who often follow a much stricter regime of privacy regulations, seem to share these advocates’ concerns.