France leads European round of attacks against Google's privacy policy

National privacy commission threaten fines of up to €300,000 if policies are not changed within 3 months.
  • @jjvincent

Google has come under fire once more over privacy concerns, this time from a consortium of European nations. France’s data protection watchdog, the Commission Nationale de l’Informatique et des Libertés (CNIL) has announced that the search giant will face heavy fines if it does not rewrite its privacy policy within the next three months.

As Google’s privacy policy currently stands it is in breach of French law as it “prevents individuals from knowing how their personal data may be used and from controlling such use.”

The CNIL is threatening Google with a fine of up to €150,000 (£128,000) and a second payment of €300,000 (£256,000) if it fails to comply with its six requirements. These include limits on how long users’ data is kept and a ban on combining individuals’ data “without legal basis.”

The dispute between France and Google has been on-going since early 2012, when the web firm altered its privacy policy so that 60 different services it controls (including the likes of Google+, Gmail and YouTube) could co-ordinate their data on specific individuals.

The CNIL’s threats are not unusual. The most severe fine France has levied against Google so far was for €100,000 in 2011 for breaches incurred by the company’s Street View mapping service. Hamburg (where Google has its main German base) also fined Google for €145,000 in April this year after data concerning individuals’ wireless-networks was collected by Street View cars.

Although France is currently spearheading the legal action, it has the backing of 27 European privacy commissioners who asked France to lead enquiries on their behalf last October. Six other countries will be following this current bout of legislation with their own formal investigations.

“France, Spain, the U.K. at the start of next week and Germany at the end of next week will all take a formal and official decision to start repressive proceedings against Google,” said Isabelle Falque-Pierrotin, Chairwoman of the CNIL, “and a second salvo will come from Italy and the Netherlands by the end of July.”

As well as limits on data retention and combining datasets, the CNIL is also asking that Google request users’ approval before collecting information via services such as DoubleClick and Google+ ‘+1’ buttons (the equivalent of the Facebook like). These are tools operated by Google but that run on third-party websites.

Falque-Pierrotin did note, however, that the notice given by the CNIL “isn’t very prescriptive” and that they are “leaving Google some leeway to reach compliance.”

An official statement from Google said: "Our privacy policy respects European law and allows us to create simpler, more effective services. We have engaged fully with the authorities involved throughout this process, and we'll continue to do so going forward."