France, Italy pile on privacy, data pressure on Google; fines likely

France and Italy are set to gently grill Google over the European legal fire should it fail to change its merged privacy policy in the region. Other EU member states' privacy regulators are also less than pleased with the search giant.
Written by Zack Whittaker, Contributor on
Google's New York City headquarters. (Credit: ZDNet/CNET)

France's data protection agency has ordered Google to change its consolidated privacy policy, more than a year after the company merged 60 individual policies into one single document. 

In a press release issued Thursday, the Commission Nationale de l'Informatique et des Libertes (CNIL) said that following a year-long investigation, Google's data collection policies are in breach of French data protection and privacy laws. 

It comes more than half a year after European data protection and privacy regulators warned the search engine that its new privacy policy shows legal "irregularities" and may not be "in compliance" with European law.

Two of the biggest gripes the French have with Google's privacy policy practice is the "potentially unlimited combination of users' data" and the lack of definition for retention periods "that do not exceed the period necessary for the purposes for which they are collected."

Meanwhile, Italy's privacy watchdog asked Google for more information on how it treats user data, according to Reuters, shortly after the French watchdog's statement, sending a clear signal from two significant European economies.

The Italian authorities will evaluate a possible violation of data rules as it mulls over implementing similar financial sanctions.

Google said last year the privacy policy merger would make its products better, enhance the experience for users, while making advertisements more targeted allowing more specific and relevant ads for users. Privacy activists warned that it would be easier for Google and its advertisers to determine who was who, despite the anonymization, and warned of profiling.

Should the search giant fail to comply after the imposed three-month deadline, Google will face a fine of up to €150,000 ($198,000) and a second fine of up to €300,000 ($397,000) if the company fails to act.

But other data protection regulators around Europe, including the U.K. (which can serve a maximum £500,000 ($758,000) fine against a company), the Netherlands, Germany, Italy, and Spain are mulling over similar actions, the CNIL said.

Financial reprimands may not be enough for Google to change its mind. The two fines combined remains small change to Google. France's two fines alone would take the company less than 15 minutes to regenerate in revenue.

The search company continues to state that its privacy policy respects European law.

Editorial standards