In January 2012, when Google announced that it would take the individual privacy legalese of over 60 of its services and roll it into a single overarching policy, it said the process would make it "easier for people to understand our privacy practices, as well as enable Google to improve the services we offer".
However, France's independent commission dedicated to data protection, the Commission nationale de l'informatique et des libertés (CNIL), has not seen Google's policies in the same light. It has finally issued a €150,000 ($203,751) penalty on the tech giant, almost two years after raising concerns with it.
In February 2012,after being asked by the Article 29 Working Party — a group representing data protection authorities from each European Union (EU) state, also known as the G29.
CNIL's immediate concerns were around a loss of transparency and comprehensiveness, claiming that "Google makes it impossible to understand which purposes, personal data, recipients, or access rights are relevant to the use of a specific service". It wrote to Google that month with a questionnaire, and set a deadline of April 5.
Google responded on April 20, 15 days after the deadline, but CNIL stated that the answers were often "incomplete or approximate". It tried again, sending another questionnaire on May 22 and setting a deadline of June 8. It also held a meeting with Google on May 23.
CNIL said that these recommendations, if not implemented, could see Google breach the French Data Protection Act. It gave Google four months to comply.
With Google declining to take action, CNIL issued a formal notice on June 20, 2013, instructing it toor face the consequences.
Google responded on the last day of the three-month period, again believing that CNIL's analysis was incorrect.
CNIL has now handed down a €150,000 ($203,751) penalty on the tech giant, which although may be insignificant relative to Google's revenues, represents the maximum penalty CNIL is permitted to issue. This is the first time CNIL has issued the maximum penalty to any party.
Other data protection authorities around the world are also pursuing or have already completed their own proceedings against Google, including the UK, the Spanish , and the Netherlands' .
Contacted for comment, Google restated that it had worked with CNIL on explaining its policies.
The penalty rests on CNIL's opinion that Google does not inform users of how personal data is processed or collected, does not obtain user consent prior to storing cookies, does not define data retention periods, and that it combines data across all of its services without any legal basis.
CNIL has additionally directed Google to publish the decision to issue a penalty on the front page of its French website. This must be done within eight days of CNIL's initial notification date of January 3, 2014.
Google has been fined previously by CNIL. In March 2011,to Google for the collection of personal data from its Street View cars.