In the report, released today, an EU data protection commissioner accused Google of not respecting data protection.
“It is not possible to ascertain from the analysis that Google respects the key data protection principles of purpose limitation, data quality, data minimization, proportionality and right to object,” read a statement from the EU regulator.
It said that Google “provides insufficient information to its users on its personal data processing operations”, adding that Google users cannot tell how their personal data are used.
The French regulator Commission Nationale de l’Informatique et des Libertés (CNIL), which was appointed to lead the investigation on behalf of the EU, demanded that Google modify its practices.
It asked Google to give “clearer and more comprehensive information about the collected data and purposes of each of its personal data processing operations” and demanded the firm should allow users to choose when their data are combined between Google products.
It also said that users should be given the right to opt-out and that Google should modify its own systems so that data entered by users in one of the firm’s products cannot be passed to another without consent.
Google faced investigation after it combined all of the privacy policies related to individual products - numbering 60 – into a single, uniform policy, allowing it to transfer users’ data between different areas of and products belonging to the company. It was criticised when it emerged that people had no option but to accept the new terms.
No mention was made of any of the potential sanctions open to the CNIL, which include financial penalties, should Google fail to comply. The CNIL investigated Google on behalf of the Article 29 Data Protection Working Party, which represents European authorities.
Google was informed of the demands in a letter sent to its CEO Larry Page yesterday, Reuters reported.
Earlier this month, a spokesman told Bloomberg News its policy provided users with “clear and comprehensive information about how we use data…we are confident that our privacy notices respect the requirements of European data protection laws”.
The company has clashed with CNIL in the past over the collection of data by its Street View camera cars. Despite its protestations last year that the data scoop was done in error and voluntarily highlighted, it was handed the CNIL’s maximum fine of €100,000 (£80,700).