The Dutch privacy watchdog has ruled that the search engine giant does indeed violate the Dutch data protection act, after a seven month investigation.
The Data Protection Authority (DPA) of the Netherlands has ruled that Google’s practice of combining personal data from different services, introduced with its new privacy policy on 1 March 2012, is in breach of the Dutch data protection act, in its official ruling on the matter.
“Google spins an invisible web of our personal data, without our consent. And that is forbidden by law”, said the chairman of the Dutch data protection authority, Jacob Kohnstamm.
The Dutch DPA has now invited Google to attend a hearing, after which the authority will decide whether it will take enforcement measures, including possible fines.
According to the DPA, with its services (search, Youtube, Gmail etc), Google reaches almost every person in the Netherlands with internet access, and it feels that it is almost impossible not to use Google services on the Internet.
The DPA’s report identified three types of users of Google services. The first group is made up of people with a Google account. The second group of people are those without a Google account but which use the open services of Google such as Search and YouTube. The third and final group is those people who do not use Google. According to the DPA, Google also collects data about this last group of users when they visit one of the more than 2 million websites worldwide with Google advertising cookies.
The DPA’s investigation apparently revealed that Google combines personal data relating to internet users which it obtains from different services. Google does this in order to display personalised ads and to personalise services such as YouTube and Search. The DPA argues that some of this collected data is of a sensitive nature, “such as payment information, location data and information on surfing behaviour across multiple websites.”
“Google does not adequately inform users about the combining of their personal data from all these different services,” said the DPA. “On top of that, Google does not offer users any (prior) options to consent to or reject the examined data processing activities.”
But Google has denied the Dutch authority’s findings, saying it provided users of its services with sufficiently specific information about the way it processed their personal data.
“Our privacy policy respects European law and allows us to create simpler, more effective services. We have engaged fully with the Dutch DPA throughout this process and will continue to do so going forward,” Reuters quoted Google as saying in a statement.
The Dutch ruling comes amid similar investigations by other European watchdogs. In September the French watchdog CNIL told Google it has started a formal procedure for punishing the company over its privacy policy, after repeated failures to make changes to it. And one month later it, CNIL, speaking on behalf of other European watchdogs, ordered an “upgrade” to the Google privacy policy.
The UK’s Information Commissioner’s Office (ICO) meanwhile has told Google it wanted the privacy policy changed to make it “more informative for individual service users”.
Are you a pedant on privacy? Try our quiz!
Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector
Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…
Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…
Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…
Explore the future of work with the Silicon In Focus Podcast. Discover how AI is…
Executive hits out at the DoJ's “staggering proposal” to force Google to sell off its…
View Comments
If anyone claims they will do no harm - be suspicious!
Its time that someone stood up to Google and its infringement of privacy.
The Dutch are right in that Google is now unavoidable in normal daily life and higher levels of standards about data collection (or rather not collecting) should be imposed on them.
Have a read of "Turing's Catherdral" by George Dyson. In particular pages 306 - 309. These pages outlines one person's fiction that has become reality !