Google's privacy policy merger 'against Dutch law'

Google's recent move to unite all the privacy policies of its various services into a single offering has been slapped down by the Netherlands' privacy regulator.

Google's practice of combining privacy policies across its various services has been found to be in violation of the Dutch law by the Netherlands' privacy regulator CBP (College BeschermingPersoonsgegevens) after extensive research on the matter.

Read this

Microsoft updates service terms; follows in Google's footsteps

While Microsoft's has clearly learned from Google's privacy policy disaster, the Redmond giant's new service agreement skirts close to the edges.

Read More

In 2012, Google implemented a significant change in its privacy policy, merging the individual policies from its numerous services into one uniform document — which, according to the search giant, was convenient and easier to understand.

However, although presented as a measure to accommodate its users, the move immediately caught the attention of regulators across Europe, because it also allowed Google to combine user data from diverse services.

That in turn, allowed Google to put together an extremely detailed user profile, all without asking its users for their permission. After all, users don't have the ability to opt out of the process of their different data sets being combined, can contain extremely sensitive information, such as their payment details, location data and details about online behaviour.

Insufficiently informed

CBP chairman Jacob Kohnstamm strongly condemned the way Google handles its user data: "The way Google has combined personal data since the introduction of the revised privacy conditions on 1 March 2012 is in violation with the Dutch Data Protection Act," he said in a statement.

"Google combines personal data of internet users obtained via different kinds of Google services without properly informing its users and without asking them for permission. Our research shows that Google does not sufficiently inform its users about what personal data the company gathers and to what end. Google is creating an invisible web of our personal data, without our permission and that, by definition, is forbidden according to Dutch law."

No legal action… yet

Although Google's practices have found to be violation of Dutch Law, the privacy regulator said it currently has no intention to fine Google, provided that the company is willing to make changes.

Related article

Amazon, Google accused of tax avoidance by U.K. lawmakers

Bumbling through, Amazon U.K. and Google U.K. representatives failed to disclose any valuable or insightful data on why their tax record in the country is so low, despite appearing in front of a U.K. parliamentary committee to answer questions.

Read More

"We have meanwhile invited Google for a hearing, after which we will decide if and how we are going to deploy any means necessary with regard to enforcement of the law," the CBP said. 

Meanwhile, the Dutch branch of Google has responded to the allegations: "Our privacy policy respects European legislation and allows us to create simpler and more efficient services. During this process, we have seized each and every opportunity to engage in discussion with the CBP and we will continue to do so."

Even though the company is claiming to be operating in compliance with European legislation, the Netherlands is not the first country to attack Google over its privacy policy. Spain, Italy, UK and Germany have either threatened Google over the privacy policy matter or actually pressed charges.

Earlier this month the regional court of Berlin ruled that various clauses in Google's contracts are unlawful, stating that a total of 25 clauses in the terms of use and privacy conditions were worded too vaguely or improperly restricted the rights of consumers.

Further reading