Google Faces French Order to Fix Privacy Issues Within 90 Days

Google will have to pay big fines if it misses the deadline, France's data protection agency stated. Five other European nations are making similar threats.

tech law

France and five other European nations are putting Google on notice about privacy, telling the search giant that if it doesn't amend its policies about how it deals with users' data within 90 days, large fines will be assessed.

The deadline was issued by France's National Commission for Computing and Civil Liberties (CNIL), which is France's data protection agency. In a statement, the CNIL told Google that it is taking the action because the company is not yet in compliance with French law.

An ongoing CNIL investigation "has confirmed Google's breaches of the French Data Protection Act of 6 January 1978, as amended (hereinafter 'French Data Protection Act') which, in practice, prevents individuals from knowing how their personal data may be used and from controlling such use," the CNIL statement said. "If Google Inc. does not comply with this formal notice at the end of the given time limit, CNIL's Select Committee, in charge of sanctioning breaches to the French Data Protection Act, may issue a sanction against the company."

The controversy over privacy and Google's user policies has been simmering for some time. In May 2012, French regulators accused Google of not being cooperative with investigators looking into privacy issues concerning the company and its practices there. The CNIL had sent Google a questionnaire about the new privacy policy in March 2012, but the agency complained that Google's answers were "often incomplete or approximate." A follow-up survey also left questions remaining.

Earlier this April, France and five other European nations announced that the slow pace of Google's progress on privacy issues caused them to plan their own steps to ensure improved data privacy for their citizens. That could mean hefty fines and deeper investigations into Google's actions on user privacy. A European task force being led by the CNIL has been waiting since October 2012 for satisfactory progress from Google on how the search giant would make privacy improvements to protect users of its online services.

In January 2012, Google announced major changes to its data privacy policies, which folded 60 of its 70 previously separate product privacy policies under one blanket policy and broke down the identity barriers between some of its services to accommodate its then-new Google+ social network, according to an earlier eWEEK report. Google's streamlining came as regulators continued to criticize Google, Facebook and other Web service providers for offering long-winded and legally gnarled privacy protocols. The Google privacy policy changes went into effect March 1, 2012.

However, these moves haven't satisfied European authorities, which argue that they are not adequate to address the problems.

The other five European nations involved in the latest action are Germany, Italy, the Netherlands, Spain and the United Kingdom.

Under the CNIL's 90-day ultimatum, Google must implement a series of steps, including defining "specified and explicit purposes to allow users to understand practically the processing of their personal data," as well defining how long the personal data is held after its processing. That time period should "not exceed the period necessary for the purposes for which they are collected," the CNIL states.

The group also demands that Google agree not to use "the potentially unlimited combination of users' data" without having a legal basis to do so, and to inform users and then obtain their consent before storing cookies in Google's systems.