Google has four months to make its privacy policy comply with requests
from European Union data protection watchdogs or start facing the
possibility of disciplinary action at a national level.
France's
Commission Nationale de l'Informatique, working on behalf of the EU's 27
national data regulators, said on Tuesday it had found legal flaws with
a new approach to user data that Google adopted in March.
Among
CNIL's concerns was the way the U.S. group combines anonymous data from
users' browsing histories across its services to better target
advertising.
That led the national regulators to issue 12
recommendations for Google to bring its privacy policy into line,
including better informing users on how data will be used, and setting
precise periods for data to be retained.
Google global privacy
counsel Peter Fleischer said the company would examine the results of
the investigation, adding it remained confident its privacy policy
respected EU law.
CNIL president Isabelle Falque-Pierrotin said
regulators were prepared to talk to Google, adding "If Google does not
conform in the allotted time, we will enter into the disciplinary
phase".
Google can either negotiate with the regulators and change
elements of its privacy policy or challenge their authority to impose
changes in court. The data protection watchdogs that examined the
privacy policy cannot rule on the legality of Google's approach since
they are not a court of law.
Some national data protection
regulators including those in Belgium, France and the Netherlands have,
in the past, imposed fines on companies that have breached rules. Such
sanctions cannot be imposed EU-wide.
When Google was found to have
broken data protection rules after its Street View cars collected
unauthorised data on public wifi networks in 2010, it faced dozens of
separate cases.
In that episode, Google was fined 100,000 eurosby
the French watchdog and the Netherlands threatened a 1 million euro fine
if it did not change its policy.
Google's new approach to data,
which consolidated 60 privacy policies into one, allows the pooling of
information collected on individual users across its services, including
YouTube, Gmail and the Google+ social network. Users cannot opt out.
Jacob
Kohnstamm, the Dutch data protection boss and head of the working group
of EU data protection regulators, said it was the first time regulators
had cooperated on an investigation.
"Since internet companies know no borders, it is indispensable that data protection work together," he said.
Chris
Watson, a lawyer at CMS Cameron McKenna LLP, said "How the case turns
out will be an important test case of Europe's (EU) ability to enforce
its point of view on online privacy".
© Thomson Reuters 2012