Google is facing a privacy policy probe in Europe. Last year Google consolidated more than 60 separate product privacy notices into one unified policy — combining the breadcrumbs of personal data left by users of different services so it could stockpile joined-up personal data as a strategy to rival Facebook’s walled garden. The move drew criticism from European privacy regulators — which last October called for Google to give users more control over their data.
The regulators stopped short of saying Google was acting illegally but published a list of privacy recommendations for Google, including suggesting the company should make it clearer to users how their personal information may be used, and how it is collected and collated from different services. The regulators also wanted Google to offer users an opt-out. At the time, Google told TechCrunch it was reviewing the report, adding: “We are confident that our privacy notices respect European law.”
The 27 regulators, led by France’s CNIL, gave Google three to four months to make changes to its privacy policy — or face “more contentious” action. In a statement on its website today, the CNIL said that four months on from that report Google has failed “to come into compliance” so will now face additional action.
“On 18 February, the European authorities find that Google does not give a precise answer and operational recommendations. Under these circumstances, they are determined to act and pursue their investigations,” the CNIL said in its statement (translated from French with Google Translate).
According to the statement, the European regulators intend to set up a working group, led by CNIL, to “coordinate their enforcement action” against Google — with the working group due to be established before the summer. An action plan for tackling the issue was drawn up at a meeting of the regulators late last month, and will be “submitted for validation” later this month, they added.
Responding to the CNIL’s statement, Google emailed the following comment: “Our privacy policy respects European law and allows us to create simpler, more effective services. We have engaged fully with the CNIL throughout this process, and we’ll continue to do so going forward.”
Separately, the European Commission is in the process of reforming European privacy rules — with proposals to harmonize regulation across all member states, and strengthen independent national data protection authorities, including giving them the ability to fine companies up to €1 million ($1.27 million) or up to 2 percent of their global annual turnover. As part of this reform the EC is proposing European Internet users should be able to exercise a right to be forgotten by requesting that companies delete any personal data held on them — so long as there are no legitimate grounds to retain it.
At the opposite end of the privacy spectrum to a right to be forgotten is, arguably, Google Now: a mobile product introduced by Google in Android 4.1 which gathers data on the phone’s user via a variety of data points — such as a synced Gmail account and the phone’s physical location — in order to proactively push relevant information back out to the user, such as how long it will take to commute back home from your work.
Google Now can only function by having intimate access to multiple personal data points — but by being useful to the user, Google can sell this is a savvy feature, rather than an intrusion — justifying the gathering of a wealth of private data which it can also (of course) use for its own business ends by improving its targeted advertising.