Google has apparently missed a 90-day deadline given in June by France’s data protection agency that asked the search giant to comply with France’s data protection law. The agency, angered by Google’s inaction, says it will now begin a process of fining Google for the company’s indifference.
In a terse statement posted on the agency’s Website on Sept. 27, France’s National Commission for Computing and Civil Liberties (CNIL) announced that Google waited until the “last day of a three-month time period” to “contest the reasoning” of the CNIL’s June order, rather than coming into compliance with the order.
“On 20 June 2013, the CNIL’s Chair had ordered Google to comply with the French data protection law within 3 months,” the statement said. “On the last day of this period, Google responded to the CNIL. Google contests the reasoning of the CNIL and has not complied with the requests laid down in the enforcement notice.”
Google’s argument in contesting the CNIL’s rules centered on “the applicability of the French data protection law to the services used by residents in France,” according to the agency. “Therefore, [Google] has not implemented the requested changes. In this context, the Chair of the CNIL will now designate a [representative] for the purpose of initiating a formal procedure for imposing sanctions, according to the provisions laid down in the French data protection law.”
Asked about the situation, a Google spokesperson told eWEEK in an email, “Our privacy policy respects European law and allows us to create simpler, more effective services. We have engaged fully with the CNIL throughout this process, and we’ll continue to do so going forward.” The spokesperson declined to comment further on the matter.
In its June action, the CNIL asked Google to comply with the French data protection law within three months by defining specified and explicit purposes for its data collection of users of Google services in France, as well as informing users about why their personal data would be processed by Google. Also requested by the CNIL order was that Google stop collecting “the potentially unlimited combination of users’ data” without a legal basis, and to begin to “fairly collect and process passive users’ data.” The agency also wants Google to inform users and then obtain their consent in particular before storing cookies.
The CNIL’s moves follow a new privacy policy that Google implemented in March 2012 for users around the globe. Google had announced the then-proposed major changes to its data privacy policies in January 2012, which folded 60 of its 70 previously separate product privacy policies under one blanket policy and broke down the identity barriers between some of its services to accommodate its then-new Google+ social network, according to an earlier eWEEK report. Google’s streamlining came as regulators continued to criticize Google, Facebook and other Web service providers for offering long-winded and legally gnarled privacy protocols.
The controversy ramped up in June when the CNIL investigation determined that Google had breached the French Data Protection Act of 1978, which sets rules so that individuals can know about how their personal data may be used by companies. In May 2012, French regulators accused Google of not being cooperative with investigators looking into privacy issues concerning the company and its practices there. The CNIL had sent Google a questionnaire about the new privacy policy in March 2012, but the agency complained that Google’s answers were “often incomplete or approximate.” A follow-up survey also left questions remaining.
France is one of six European nations that have been battling Google over its handling of personal data of their citizens. The other nations are Germany, Italy, the Netherlands, Spain and the United Kingdom. A European task force being led by the CNIL has been waiting since October 2012 for satisfactory progress from Google on how the search giant would make privacy improvements to protect users of its online services.
Similar investigations continue in the other five European nations as Google and France work toward an agreement on these issues.
Google could potentially be fined about $1 billion for shortcomings in its data privacy policies in Europe.