Google's privacy policy comes under EU probe

The French privacy watchdog has begun an EU probe into Google's overhauled privacy policy, saying it does not give users clear and comprehensive information about the company's cross-service data sharing
Written by Jack Clark, Contributor

Google's new privacy policy has become the target of an EU investigation, after the French data protection authority found it failed to comply with European regulations.

In early February, EU officials told Google they had asked the Commission Nationale de l'Informatique et des Libertes (CNIL) to look into the privacy implications of the company's plans to share people's data across all of its products and services. Under an updated Google privacy policy set to come in on Thursday, users will not be able to opt out of having their data merged and used for targeted advertising.

On Monday, the CNIL wrote to Google to share its initial findings and to tell the company it will carry out an investigation on behalf of EU data protection bodies.

"Our preliminary analysis shows that Google's new policy does not meet the requirements of the European Directive on Data Protection (95/46/CE), especially regarding the information provided to data subjects," the CNIL wrote in a letter to chief executive Larry Page (PDF).

"The CNIL and the EU data protection authorities are deeply concerned about the combination of personal data across services," it added. "They have strong doubts about the lawfulness and fairness of such processing, and about its compliance with European Data Protection legislation."

User data is mixed-and-matched across 60 Google services, and the new policy tells users the only way to avoid this is to close their Google account. While the CNIL acknowledged the company's efforts to inform its users about the changes, it said Google was not providing "transparent" and "comprehensive" information about what it will do with the data.

"Google's online services are numerous and differ greatly, both with regard to purposes and types of data they process. The new privacy policy provides only general information about all the services and types of personal data Google processes. As a consequence, it is impossible for average users who read the new policy to distinguish which purposes, collected data, recipients or access rights are currently relevant to their use of a particular Google service," the privacy watchdog said.

CNIL said the way the policy is presented to users means "it is extremely difficult to know exactly which data is combined between which services for which purposes, even for trained privacy professionals."

In particular, the authority said it is concerned that the policy does not comply with Articles 6 and 7 of the EU's Data Protection Directive. These sections relate to the scope of user data that can be processed by a company and the consent it must gather from users to do this.

Beyond the policy itself, CNIL complained that Google had not given data protection authorities much forewarning of the changes, despite having claimed that it had "extensively pre-briefed" them.

In response, Google said it believed it had found a reasonable balance between two recommendations from the Article 29 Working Party, which asked CNIL to undertake the analysis. These recommendations were to streamline its policy, while providing comprehensive information to users.

"Over the past month we have asked to meet with the CNIL on several occasions to answer any questions they might have, and that offer remains open," Google said in a statement.

The French privacy body plans to send Google a questionnaire regarding the policy as well as "other related aspects of Google's data processing activities" by mid-March 2012. In the meantime, it has reiterated calls for the company to put a hold on implementing the policy and asked Google to provide users with more information on what it is doing with data-sharing.

Google was fined €100,000 (£87,000) by CNIL a year ago for harvesting personal Wi-Fi data via its Street View car project.

Get the latest technology news and analysis, blogs and reviews delivered directly to your inbox with ZDNet UK's newsletters.
Editorial standards