Google's practice of combining privacy policies across its various services has been found to be in violation of the Dutch law by the Netherlands' privacy regulator CBP (College BeschermingPersoonsgegevens) after extensive research on the matter.
However, although presented as a measure to accommodate its users, the move immediately caught the attention of regulators across Europe, because it also allowed Google to combine user data from diverse services.
That in turn, allowed Google to put together an extremely detailed user profile, all without asking its users for their permission. After all, users don't have the ability to opt out of the process of their different data sets being combined, can contain extremely sensitive information, such as their payment details, location data and details about online behaviour.
CBP chairman Jacob Kohnstamm strongly condemned the way Google handles its user data: "The way Google has combined personal data since the introduction of the revised privacy conditions on 1 March 2012 is in violation with the Dutch Data Protection Act," he said in a statement.
"Google combines personal data of internet users obtained via different kinds of Google services without properly informing its users and without asking them for permission. Our research shows that Google does not sufficiently inform its users about what personal data the company gathers and to what end. Google is creating an invisible web of our personal data, without our permission and that, by definition, is forbidden according to Dutch law."
No legal action… yet
Although Google's practices have found to be violation of Dutch Law, the privacy regulator said it currently has no intention to fine Google, provided that the company is willing to make changes.
"We have meanwhile invited Google for a hearing, after which we will decide if and how we are going to deploy any means necessary with regard to enforcement of the law," the CBP said.