But it didn't, and potentially left the search giant in a legal pickle in the region.
The Commission Nationale de l’Informatique et des Libertés (CNIL), France's data protection agency, wrote a detailed letter of 69 questions to Google and demanded answers by the end of this week at the latest.
But in a style true to its own, the search giant revealed very little about its practices or figures, and effectively gave CNIL the brushoff.
Google hit its three-week deadline for submitting answers with a few days spare, but probably because it only addressed --- though not necessarily answering --- only 24 of CNIL's questions it was asked in the March 16 letter.
A Google spokesperson said it will respond to the remaining questions "by April 15", a few days after the 'deadline' expires.
But immediately as Google responded, Reuters reports that the Dutch data protection authority warned that the policy could lead to Google facing "a range of sanctions". Japanese and South Korean authorities have previously warned that the new policy could breach their local law.
Interestingly, Google sheds light on the matter of Europe's data protection agencies reportedly getting up in arms, by saying that in effect, many did not.
On page 3:
There are 27 member states of the European Union, and a local data protection authority for each state, leading to the suggestion that Google did not ask all local authorities to reveal its plans.
But the Dutch data protection chief, Jacob Kohnstamm, hit back in a war of words by saying it was not his job to have "a cup of tea and a chat" with companies, and that it was their job to comply with the law that Europe sets out.
"I am not going to give advice to Google and do so on taxpayers' money," he added. Fair play to him.
On to page 4:
But after such an extensive notification it was difficult to see how such a pause was practically possible. At a practical level, “pausing” would have required us to launch yet another mammoth notification campaign, and would have proved confusing to our users."
Also on page 4, Google questioned under what "legal basis for the Working Party to act as a regulatory body, or to mandate the CNIL to conduct a regulatory review on behalf of 26 other independent DPAs?", which is Google's way of saying, "You can't tell us what to do," and hinting that the Article 29 Working Party acted outside of its brief.
It also points to the discrepancies in definitions across the European 27 member states, something that will be fixed in the upcoming Data Protection Regulation, currently going through the European Parliament.
Google does say that in regards to deleting data, it only delete's user personal data "at their request in line with our back-up and retention policies", adding: "Google’s back-up and retention policies are set to take into account users’ interest in security and business continuity. Such policies would, for example, enable us to restore a maliciously deleted user account."
It did not say how long data is retained for, however, and actively avoided the question on page 15.
The CNIL can issue a range of sanctions at a France-only level, and give the company anything from a week to a few months to change its behaviour. The CNIL's response would not have any effect on a European level, unless the European Commission steps in via the Article 29 Working Party.
More from Google on April 15.
- Confessions of a Google junkie (or, Privacy? What privacy?)
- Identity Matters: EPIC files FOI request over first Google Privacy Report to FTC