On Monday, the CNIL wrote to Google to share its initial findings and to tell the company it will carry out an investigation on behalf of EU data protection bodies.
"Our preliminary analysis shows that Google's new policy does not meet the requirements of the European Directive on Data Protection (95/46/CE), especially regarding the information provided to data subjects," the CNIL wrote in a letter to chief executive Larry Page (PDF).
"The CNIL and the EU data protection authorities are deeply concerned about the combination of personal data across services," it added. "They have strong doubts about the lawfulness and fairness of such processing, and about its compliance with European Data Protection legislation."
User data is mixed-and-matched across 60 Google services, and the new policy tells users the only way to avoid this is to close their Google account. While the CNIL acknowledged the company's efforts to inform its users about the changes, it said Google was not providing "transparent" and "comprehensive" information about what it will do with the data.
CNIL said the way the policy is presented to users means "it is extremely difficult to know exactly which data is combined between which services for which purposes, even for trained privacy professionals."
In particular, the authority said it is concerned that the policy does not comply with Articles 6 and 7 of the EU's Data Protection Directive. These sections relate to the scope of user data that can be processed by a company and the consent it must gather from users to do this.
Beyond the policy itself, CNIL complained that Google had not given data protection authorities much forewarning of the changes, despite having claimed that it had "extensively pre-briefed" them.
In response, Google said it believed it had found a reasonable balance between two recommendations from the Article 29 Working Party, which asked CNIL to undertake the analysis. These recommendations were to streamline its policy, while providing comprehensive information to users.
"Over the past month we have asked to meet with the CNIL on several occasions to answer any questions they might have, and that offer remains open," Google said in a statement.
The French privacy body plans to send Google a questionnaire regarding the policy as well as "other related aspects of Google's data processing activities" by mid-March 2012. In the meantime, it has reiterated calls for the company to put a hold on implementing the policy and asked Google to provide users with more information on what it is doing with data-sharing.
Google was fined €100,000 (£87,000) by CNIL a year ago for harvesting personal Wi-Fi data via its Street View car project.
Get the latest technology news and analysis, blogs and reviews delivered directly to your inbox with ZDNet UK's newsletters.