Google Gets French Deadline Over Privacy Issues

France and five other European nations are putting Google on notice about privacy, telling the search giant that if it doesn’t amend its policies for dealing with users’ data within 90 days, large fines will be assessed.

The deadline was issued by France’s National Commission for Computing and Civil Liberties (CNIL), which is France’s data protection agency.

Not yet in compliance

In a statement, the CNIL told Google that it is taking the action because the company is not yet in compliance with French law.

An ongoing CNIL investigation “has confirmed Google’s breaches of the French Data Protection Act of 6 January 1978, as amended (hereinafter ‘French Data Protection Act’) which, in practice, prevents individuals from knowing how their personal data may be used and from controlling such use,” the CNIL statement said. “If Google Inc. does not comply with this formal notice at the end of the given time limit, CNIL’s Select Committee, in charge of sanctioning breaches to the French Data Protection Act, may issue a sanction against the company.”

The controversy over privacy and Google’s user policies has been simmering for some time. In May 2012, French regulators accused Google of not being cooperative with investigators looking into privacy issues concerning the company and its practices there.

The CNIL had sent Google a questionnaire about the new privacy policy in March 2012, but the agency complained that Google’s answers were “often incomplete or approximate.” A follow-up survey also left questions remaining.

Earlier this April, France and five other European nations announced that the slow pace of Google’s progress on privacy issues caused them to plan their own steps to ensure improved data privacy for their citizens. That could mean hefty fines and deeper investigations into Google’s actions on user privacy.

A European task force being led by the CNIL has been waiting since October 2012 for satisfactory progress from Google on how the search giant would make privacy improvements to protect users of its online services.

Major policy changes

In January 2012, Google announced major changes to its data privacy policies, which folded 60 of its 70 previously separate product privacy policies under one blanket policy and broke down the identity barriers between some of its services to accommodate its then-new Google+ social network, according to an earlier eWEEK report.

Google’s streamlining came as regulators continued to criticise Google, Facebook and other web service providers for offering long-winded and legally gnarled privacy protocols. The Google privacy policy changes went into effect on 1 March, 2012.

However, these moves haven’t satisfied European authorities, which argue that they are not adequate to address the problems. The other five European nations involved in the latest action are Germany, Italy, the Netherlands, Spain and the United Kingdom.

Under the CNIL’s 90-day ultimatum, Google must implement a series of steps, including defining “specified and explicit purposes to allow users to understand practically the processing of their personal data”, as well defining how long the personal data is held after its processing.

That time period should “not exceed the period necessary for the purposes for which they are collected”, the CNIL states.

Passive users

The group also demands that Google agree not to use “the potentially unlimited combination of users’ data” without having a legal basis to do so, and to inform users and then obtain their consent before storing cookies in Google’s systems.

Google is also being told it must “fairly collect and process passive users’ data, in particular with regard to data collected using the ‘Doubleclick’ and ‘Analytics’ cookies, ‘+1’ buttons or any other Google service available on the visited page”, according to the CNIL.

Similar investigations will continue in the other five European nations as Google and France work toward an agreement on these issues, the CNIL reported.

If Google doesn’t comply, it faces an initial fine of up to $201,100 (£130,000) and a second of $396,400 if it still fails to act, according to a report by Reuters.

In April, Google was hit with an $189,167 fine in Germany for collecting user data without fully disclosing the practice as Google Street View vehicles combed German streets collecting information for its maps from 2007 to 2010.

The Street View programme came under scrutiny both in the United States and in Europe after it was learned that Google was gathering the information street-by-street between 2007 and 2010, according to an earlier eWEEK report.

$7m US settlement

A similar case in the United States was resolved in March when a $7 million settlement was reached between Google and the US government to end a probe into the Street View imaging programme, which for three years collected personal information on users wirelessly as the Street View vehicles drove around taking photographs.

The $7 million fine against Google was designed to resolve investigations that were under way by some 30 state attorneys general over the controversial Street View programme.

Google’s progress on developing clearer, better-known policies regarding how it will use any of the personal data belonging to its users has become a sore point with many governments around the world, which say that the search giant is not moving quickly enough to address such privacy concerns.

Google could potentially be fined about $1 billion for shortcomings in its data privacy policies in Europe.

Are you a Google expert? Take our quiz!

Originally published on eWeek.

Todd R. Weiss

Freelance Technology Reporter for TechWeekEurope and eWeek

View Comments

  • "An obtain their consent before storing cookies in Google’s systems."

    Google already does, or am I imagining that box which ask me whether Google can store a cookie on my computer every time I go to the site after clear my cookies to get around the Daily Telegraph 30 article limit.

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

1 day ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

1 day ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

1 day ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

2 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

2 days ago