Google’s Unified Privacy Policy Triggers Co-ordinated Enforcement Action — And Threat Of Fines — In Six European Countries

Google is facing enforcement action — and possibly fines — in six European Union member states after it failed to make changes to its privacy policy following requests by European data protection regulators. The six countries that have today launched data protection investigations into Google’s unified privacy policy are France, Germany, Italy, the Netherlands, Spain, and the U.K.

The UK’s Information Commissioner’s Office gave the Verge the following statement confirming it has launched an investigation into whether the policy infringes national law:

The ICO has launched an investigation into whether Google’s revised March 2012 privacy policy is compliant with the Data Protection Act. The action follows an initial investigation by the French data protection authority CNIL, on behalf of the Article 29 group of which the ICO is a member. Several data protection authorities across Europe are now considering whether the policy is compliant with their own national legislation. As this is an ongoing investigation it would not be appropriate to comment further.

Back in February, the French data protection regulator, CNIL, called out Google for failing “to come into compliance” within the four month period set out by the original October report into the policy, conducted by the Article 29 Working Party — and said Mountain View would therefore face additional action. Representatives of Google met with the CNIL-led taskforce last month but, according to CNIL, “following this meeting, no change has been seen” — thereby triggering today’s national actions.

The CNIL’s release states:

It is now up to each national data protection authority to carry out further investigations according to the provisions of its national law transposing European legislation. Consequently, all the authorities composing the taskforce have launched actions on 2 April 2013 on the basis of the provisions laid down in their respective national legislation (investigations, inspections, etc.)

In particular, the CNIL notified Google of the initiation of an inspection procedure and that it had set up an international administrative cooperation procedure with its counterparts in the taskforce.

This latest brush with Europe’s data protection watchdogs was triggered by Google’s action last year to consolidate more than 60 separate product privacy notices into one unified policy. After an investigation, European privacy regulators published a list of privacy recommendations for Google, including suggesting the company should make it clearer to users how their personal information may be used, and how it is collected and collated from different services. They also wanted Google to offer users an opt-out. It is these recommendations that Google has apparently failed to comply with, resulting in today’s actions.

Google provided TechCrunch with the following statement regarding the latest stage of the CNIL-led action: “Our privacy policy respects European law and allows us to create simpler, more effective services. We have engaged fully with the DPAs involved throughout this process, and we’ll continue to do so going forward.”

It’s unclear whether the European action contributed to the departure of Google’s director of privacy Alma Whitten, announced yesterday.