Google has been hit with a $204,200 fine by France’s National Commission for Computing and Civil Liberties (CNIL) in connection with changes Google made to its data policies in 2012 that continue to be in conflict with the French Data Protection Act.
The fine, which is the highest financial penalty assessed so far by the French data protection agency, was announced Jan. 8 by the CNIL.
The CNIL’s decision relates to Google’s move back in March 2012 to merge many of the company’s privacy policies into one over-arching policy for some 60 Google services, including Google Search, YouTube, Gmail, Picasa, Google Drive, Google Docs and Google Maps, according the CNIL announcement. “Nearly all Internet users in France are impacted by this decision due to the number of services concerned,” the agency said.
The CNIL action to fine Google was taken because Google “does not sufficiently inform its users of the conditions in which their personal data are processed, nor of the purposes of this processing,” the report continued. “They may therefore neither understand the purposes for which their data are collected, which are not specific as the law requires, nor the ambit of the data collected through the different services concerned. Consequently, they are not able to exercise their rights, in particular their right of access, objection or deletion.”
The CNIL statement also said that the fine was implemented because Google “does not comply with its obligation to obtain user consent prior to the storage of cookies on their terminals,” and that the company “fails to define retention periods applicable to the data which it processes.”
In addition, the CNIL reported that Google erroneously “permits itself to combine all the data it collects about its users across all of its services without any legal basis.”
The G29, the Working Group of all European Union Data Protection authorities, previously had contacted Google about the matter, but Google “failed to comply with the EU legal framework and correspondingly issued several recommendations, which Google Inc. did not effectively follow-up upon. Consequently, six EU Authorities individually initiated enforcement proceedings against the company,” the statement continued. “These conclusions are similar to those laid down by the Dutch and Spanish Data Protection Authorities in November and December 2013 on the basis of their respective national laws.”
The high fine “is justified by the number and the seriousness of the breaches stated in the case,” the CNIL announced. Google has also been ordered to post notice of the CNIL decision on the French Google Web page for 48 hours to help notify affected users of the fine and the agency’s decision in the case.
In June 2013, Google was given 90 days by French regulators to amend its policies about how the company deals with users’ data or face large fines. Five other EU nations made similar threats to Google. The deadline was issued by the CNIL at that time. In a statement, the CNIL told Google that it was taking the action because the company is not yet in compliance with French law.
Google did not respond to an eWEEK inquiry on Jan. 9 seeking comment on the case.
Google Fined $204,200 Penalty by French Agency in Data Privacy Case
The controversy over privacy and Google’s user policies has been simmering for some time. In May 2012, French regulators accused Google of not being cooperative with investigators looking into privacy issues concerning the company and its practices there. The CNIL had sent Google a questionnaire about the new privacy policy in March 2012, but the agency complained that Google’s answers were “often incomplete or approximate.” A follow-up survey also left questions remaining.
Earlier in April 2013, France and five other European nations announced that the slow pace of Google’s progress on privacy issues caused them to plan their own steps to ensure improved data privacy for their citizens. A European task force being led by the CNIL has been waiting since October 2012 for satisfactory progress from Google on how the search giant would make privacy improvements to protect users of its online services.
Google merged the 60 privacy policies to help break down the identity barriers between some of its services to accommodate its then-new Google+ social network, according to an earlier eWEEK report. Google’s streamlining came as regulators continued to criticize Google, Facebook and other Web service providers for offering long-winded and legally gnarled privacy protocols. The Google privacy policy changes went into effect March 1, 2012.
In April 2013, Google was hit with a $189,167 fine in Germany for collecting user data without fully disclosing the practice as Google Street View vehicles combed German streets collecting information for its maps from 2007 to 2010.
A similar case in the United States was resolved in March 2013 when a $7 million settlement was reached between Google and the U.S. government to end a probe into the Street View imaging program, which for three years collected personal information on users wirelessly as the Street View vehicles drove around taking photographs. The $7 million fine against Google was designed to resolve investigations that were under way by some 30 state attorneys general over the controversial Street View program.
Google’s progress on developing clearer, better-known policies regarding how it will use any of the personal data belonging to its users has become a sore point with many governments around the world, which say that the search giant is not moving quickly enough to address such privacy concerns.
Google could potentially be fined about $1 billion for shortcomings in its data privacy policies in Europe.