France and five other European nations are putting Google on notice about privacy, telling the search giant that if it doesn’t amend its policies about how it deals with users’ data within 90 days, large fines will be assessed.
The deadline was issued by France’s National Commission for Computing and Civil Liberties (CNIL), which is France’s data protection agency. In a statement, the CNIL told Google that it is taking the action because the company is not yet in compliance with French law.
An ongoing CNIL investigation “has confirmed Google’s breaches of the French Data Protection Act of 6 January 1978, as amended (hereinafter ‘French Data Protection Act’) which, in practice, prevents individuals from knowing how their personal data may be used and from controlling such use,” the CNIL statement said. “If Google Inc. does not comply with this formal notice at the end of the given time limit, CNIL’s Select Committee, in charge of sanctioning breaches to the French Data Protection Act, may issue a sanction against the company.”
The controversy over privacy and Google’s user policies has been simmering for some time. In May 2012, French regulators accused Google of not being cooperative with investigators looking into privacy issues concerning the company and its practices there. The CNIL had sent Google a questionnaire about the new privacy policy in March 2012, but the agency complained that Google’s answers were “often incomplete or approximate.” A follow-up survey also left questions remaining.
Earlier this April, France and five other European nations announced that the slow pace of Google’s progress on privacy issues caused them to plan their own steps to ensure improved data privacy for their citizens. That could mean hefty fines and deeper investigations into Google’s actions on user privacy. A European task force being led by the CNIL has been waiting since October 2012 for satisfactory progress from Google on how the search giant would make privacy improvements to protect users of its online services.
In January 2012, Google announced major changes to its data privacy policies, which folded 60 of its 70 previously separate product privacy policies under one blanket policy and broke down the identity barriers between some of its services to accommodate its then-new Google+ social network, according to an earlier eWEEK report. Google’s streamlining came as regulators continued to criticize Google, Facebook and other Web service providers for offering long-winded and legally gnarled privacy protocols. The Google privacy policy changes went into effect March 1, 2012.
However, these moves haven’t satisfied European authorities, which argue that they are not adequate to address the problems.
The other five European nations involved in the latest action are Germany, Italy, the Netherlands, Spain and the United Kingdom.
Under the CNIL’s 90-day ultimatum, Google must implement a series of steps, including defining “specified and explicit purposes to allow users to understand practically the processing of their personal data,” as well defining how long the personal data is held after its processing. That time period should “not exceed the period necessary for the purposes for which they are collected,” the CNIL states.
The group also demands that Google agree not to use “the potentially unlimited combination of users’ data” without having a legal basis to do so, and to inform users and then obtain their consent before storing cookies in Google’s systems.
Google Faces French Order to Fix Privacy Issues Within 90 Days
Google is also being told it must “fairly collect and process passive users’ data, in particular with regard to data collected using the ‘Doubleclick’ and ‘Analytics’ cookies, ‘+1’ buttons or any other Google service available on the visited page,” according to the CNIL.
Similar investigations will continue in the other five European nations as Google and France work toward an agreement on these issues, the CNIL reported.
If Google doesn’t comply, it faces an initial fine of up to $201,100 and a second of $396,400 if it still fails to act, according to a report by Reuters.
In April, Google was hit with an $189,167 fine in Germany for collecting user data without fully disclosing the practice as Google Street View vehicles combed German streets collecting information for its maps from 2007 to 2010.
The Street View program came under scrutiny both in the United States and in Europe after it was learned that Google was gathering the information street-by-street between 2007 and 2010, according to an earlier eWEEK report.
A similar case in the United States was resolved in March when a $7 million settlement was reached between Google and the U.S. government to end a probe into the Street View imaging program, which for three years collected personal information on users wirelessly as the Street View vehicles drove around taking photographs. The $7 million fine against Google was designed to resolve investigations that were under way by some 30 state attorneys general over the controversial Street View program.
Google’s progress on developing clearer, better-known policies regarding how it will use any of the personal data belonging to its users has become a sore point with many governments around the world, which say that the search giant is not moving quickly enough to address such privacy concerns.
Google could potentially be fined about $1 billion for shortcomings in its data privacy policies in Europe.