French privacy commission issues maximum penalty on Google

After two years of denying to French data protection groups that its unified privacy policy breaches privacy legislation, Google has been issued with the maximum possible fine by France's privacy commission.
Written by Michael Lee, Contributor

In January 2012, when Google announced that it would take the individual privacy legalese of over 60 of its services and roll it into a single overarching policy, it said the process would make it "easier for people to understand our privacy practices, as well as enable Google to improve the services we offer".

However, France's independent commission dedicated to data protection, the Commission nationale de l'informatique et des libertés (CNIL), has not seen Google's policies in the same light. It has finally issued a €150,000 ($203,751) penalty on the tech giant, almost two years after raising concerns with it.

In February 2012, CNIL began analysing Google's proposed privacy policy after being asked by the Article 29 Working Party — a group representing data protection authorities from each European Union (EU) state, also known as the G29.

CNIL's immediate concerns were around a loss of transparency and comprehensiveness, claiming that "Google makes it impossible to understand which purposes, personal data, recipients, or access rights are relevant to the use of a specific service". It wrote to Google that month with a questionnaire consisting of 69 queries, and set a deadline of April 5.

Google responded on April 20, 15 days after the deadline, but CNIL stated that the answers were often "incomplete or approximate". It tried again, sending another questionnaire on May 22 and setting a deadline of June 8. It also held a meeting with Google on May 23.

Google again missed the deadline, responding to the second round of queries on June 21, 13 days late. By October, CNIL had completed its analysis, formed a number of its own conclusions about Google's unified privacy policy, and sent it a number of recommendations on behalf of the G29.

CNIL said that these recommendations, if not implemented, could see Google breach the French Data Protection Act. It gave Google four months to comply.

Google disagreed with CNIL's analysis, taking no action to implement the recommendations. It instead stated that its privacy policy respects European law, and that it has engaged fully with CNIL.

With Google declining to take action, CNIL issued a formal notice on June 20, 2013, instructing it to comply within three months or face the consequences.

Google responded on the last day of the three-month period, again believing that CNIL's analysis was incorrect.

CNIL has now handed down a €150,000 ($203,751) penalty on the tech giant, which although may be insignificant relative to Google's revenues, represents the maximum penalty CNIL is permitted to issue. This is the first time CNIL has issued the maximum penalty to any party.

Other data protection authorities around the world are also pursuing or have already completed their own proceedings against Google, including the UK Information Commissioner's Office, the Spanish La Agencia Española de Protección de Datos, and the Netherlands' College Bescherming Persoonsgegevens.

Contacted for comment, Google restated that it had worked with CNIL on explaining its policies.

"We've engaged fully with the CNIL throughout this process to explain our privacy policy and how it allows us to create simpler, more effective services. We'll be reading their report closely to determine next steps," a Google spokesperson said.

The penalty rests on CNIL's opinion that Google does not inform users of how personal data is processed or collected, does not obtain user consent prior to storing cookies, does not define data retention periods, and that it combines data across all of its services without any legal basis.

CNIL has additionally directed Google to publish the decision to issue a penalty on the front page of its French website. This must be done within eight days of CNIL's initial notification date of January 3, 2014.

Google has been fined previously by CNIL. In March 2011, CNIL issued a €100,000 ($135,787) penalty to Google for the collection of personal data from its Street View cars.

Editorial standards