The CNIL is threatening Google with a fine of up to €150,000 (£128,000) and a second payment of €300,000 (£256,000) if it fails to comply with its six requirements. These include limits on how long users’ data is kept and a ban on combining individuals’ data “without legal basis.”
The CNIL’s threats are not unusual. The most severe fine France has levied against Google so far was for €100,000 in 2011 for breaches incurred by the company’s Street View mapping service. Hamburg (where Google has its main German base) also fined Google for €145,000 in April this year after data concerning individuals’ wireless-networks was collected by Street View cars.
Although France is currently spearheading the legal action, it has the backing of 27 European privacy commissioners who asked France to lead enquiries on their behalf last October. Six other countries will be following this current bout of legislation with their own formal investigations.
“France, Spain, the U.K. at the start of next week and Germany at the end of next week will all take a formal and official decision to start repressive proceedings against Google,” said Isabelle Falque-Pierrotin, Chairwoman of the CNIL, “and a second salvo will come from Italy and the Netherlands by the end of July.”
As well as limits on data retention and combining datasets, the CNIL is also asking that Google request users’ approval before collecting information via services such as DoubleClick and Google+ ‘+1’ buttons (the equivalent of the Facebook like). These are tools operated by Google but that run on third-party websites.
Falque-Pierrotin did note, however, that the notice given by the CNIL “isn’t very prescriptive” and that they are “leaving Google some leeway to reach compliance.”