Google must review privacy policy, EU data regulators rule

European regulators have warned that the scope of Google's new consolidated privacy policy is "too large" and users must be given greater control over their data.
Written by Zack Whittaker, Contributor

European data protection and privacy regulators have warned Google that its new privacy policy shows legal "irregularities" and may not be "in compliance" with European law.

Speaking at a press conference in Paris, representatives from the French data protection authority charged with the investigation, the Commission Nationale de l'Informatique et des Libertes (CNIL), said that users were locked in to Google's new rules and must be given the choice to opt-out of the controversial privacy policy.

The regulators warned Google that the scope of its new privacy policy is "too wide," and the firm should give users greater control of their own data.

The CNIL, known within privacy and data protection circles as an aggressive and determined agency, also published a dozen "recommendations." Members of the Article 29 Working Party, a group of data protection officials from each member states, said the 27 European authorities have "unanimously adopted the findings of the audit."

Included in the recommendations, the CNIL suggested Google should strengthen the consent sought for combining data for the purposes of service improvement and advertising; provide a centralized opt-out solution; and adapt the combination rules to distinguish between security and advertising.

Google was also warned for not clarifying how long it stores user data for, otherwise known as data retention.

CNIL president Isabelle Falque-Pierrotin said Google has "not demonstrated its commitment" to the principles of the European Data Protection Directive, which governs the rules of data transfer and storage across the 27 European member states.

She added that it was "not the goal to declare war on Google and stifle innovation," but it was the CNIL's role to remind the search giant of its "responsibilities."

However, the CNIL fell short of asking Google to demand the "unraveling" of the privacy policy as reported by The Guardian earlier this week

The Article 29 Working Party has given Google three to four months to comply with the CNIL's recommendations.

Google's global privacy counsel Peter Fleischer said in an emailed statement: "We have received the report and are reviewing it now. Our new privacy policy demonstrates our long-standing commitment to protecting our users’ information and creating great products. We are confident that our privacy notices respect European law."

On March 1, Google flipped the switch on a new privacy policy that combined and merged more than 70 different policies for its services. Google said it would make its products better, enhance the experience for users, while making advertisements more targeted allowing more specific and relevant ads for users.

Google generates more than 96 percent of its annual revenues from advertising, according to last year's end of year financial statement.

While Google ran advertisements on subways and warned users each time they visited a Google service that the new policy was on the way, privacy groups criticized the move as users could not opt-out of the policy without the user pulling the plug on the service altogether. 

While a select number of users are exempt from the new privacy policy -- Google Apps for Government, Education, and Business customers are exempt; and Google Chrome and Google Wallet users have separate policies governing their data use -- millions of European consumers and users are affected by the French watchdog's decision.

However, European data regulators warned Google to put the changes on ice after they claimed the new policy may breach European data protection laws. Google said the raising of concerns as a "surprise," and pushed ahead with its March 1 deadline. 

The CNIL was charged with investigating the search giant to determine whether or not Google had fallen foul of EU data and privacy laws. The outcome was initially expected in September.

On Monday, a coalition of 24 of the 27 member states' data protection agencies sent a letter to Google chief executive Larry Page asking the search giant to explain its intentions and detail how the firm shares data across its array of services.

The letter also said Google must seek "explicit consent" from its users when combining data across its services. 

Update at 11:30 a.m. BST: with Google statement.

Editorial standards