Google facing €15m Dutch fine over privacy changes

Dutch regulator threatens search giant with fines if it doesn't smarten up its unified privacy policy.
Written by Martin Gijzemijter, Contributor

The Dutch data protection authority, College Bescherming Persoonsgegevens (CBP), is threatening to fine Google for violating Dutch privacy rules.

According to CBP, Google's terms of service on privacy, which were altered in 2012, are in violation of the Dutch Data Protection Act (known as the WPB). The regulator says that Google combines user data from various Google services in order to display personalised ads, without the user's consent. It's now threatening Google with a €15m fine unless it makes changes to the policy.

According to CBP, the problem doesn't just affect people who are logged into a Google account, but also those who use Google's search engine or visit a website with Google cookies and the message: "Details about search queries, location data, videos and emails viewed can be combined, whereas those services each serve entirely different purposes."

CBP claims that Google gathers information without properly informing internet users in advance and without asking for permission, which violates Dutch law.

Combining information without consent

In a statement on its website, CBP chairman Jacob Kohnstamm said: "Google is capturing us in an invisible web of privacy-sensitive information, without informing us and without asking our consent. This has been going on since 2012 and we hope that our patience will no longer be put to the test."

The watchdog is demanding that Google ask its users for their unambiguous consent before combining personal information from various Google services. "[Google] can do this by means of a clear consent screen, for instance. Unambiguous consent cannot be obtained by simply including information about this procedure in the general (privacy) conditions," Kohnstamm added.

In addition, CBP wants Google to change the privacy policy so that users are clearly and consistently informed about which bits of their personal information are being used by Google's services. The regulator is also asking Google to make it clearer that YouTube is part of Google, although CBP says that "Google [already] seems to have taken measures in this regard".

The search giant has been given until late February 2015 to adopt the CBP's changes in order to comply with Dutch law, after which time the CBP will begin an investigation into whether Google has met all of its requirements.

Under investigation

The Netherlands is not the first country to slap Google on the wrist over its privacy policy. Early in 2012 Google announced that, as of that March, it was bringing in a new privacy policy worldwide for all Google services. The French privacy regulator almost immediately launched an investigation on behalf of all European privacy regulators, the results of which were published in October 2012.

After the preliminary investigation, six privacy regulators - in France, Germany, Italy, the Netherlands, Spain, and the UK - decided to launch their own national investigations based on their countries' respective privacy legislation.

Google issued an official response to the six regulators, in which it announced a large number of measures intended to make the policy to comply with European privacy legislation.

The CBP has not yet established whether the proposed measures bring Google into line with Dutch law.

"We're disappointed with the Dutch data protection authority's order, especially as we have already made a number of changes to our privacy policy in response to their concerns. However, we've recently shared some proposals for further changes with the European privacy regulators group and we look forward to discussing with them soon," Google said in a statement to ZDNet.

Read more on this story:

Editorial standards