Google Ordered To Amend Its Unified Privacy Policy In Europe By September

Google’s unified privacy policy continues to draw the attention and ire of data protection watchdogs in Europe. In the latest development, the U.K.’s ICO has confirmed it has written to Mountain View to confirm the privacy policy raises serious questions about Google’s compliance with the UK Data Protection Act (h/t to TNW for spotting).

Specifically, the ICO said it is unhappy about the level of information Google is providing users about how their data is being used. In a statement, a spokesperson said:

“We have today written to Google to confirm our findings relating to the update of the company’s privacy policy. In our letter we confirm that its updated privacy policy raises serious questions about its compliance with the UK Data Protection Act.

“In particular, we believe that the updated policy does not provide sufficient information to enable UK users of Google’s services to understand how their data will be used across all of the company’s products.

“Google must now amend their privacy policy to make it more informative for individual service users. Failure to take the necessary action to improve the policies compliance with the Data Protection Act by 20 September will leave the company open to the possibility of formal enforcement action.”

The watchdog confirmed to TechCrunch its three main areas of concern — namely that Google needs to provide more information about how it processes users’ personal data; that Google needs to inform users specifically what their personal data is being used for so they fully understand the implications of using Google’s services; and that it must inform users when their personal data is being retained in a way they might not expect.

Here are the ICO’s three areas of concern in full:

Reasonable expectations and sufficient information

Google must comply with the first principle and provide further information in the policy with regards to the manner in which it processes personal data.

Specified purposes 

Google must comply with the second principle and further define and specify the purposes for which personal data is processed to allow users, regardless of their status, to understand in practice what the implications of using the services are.

Retention of data

Google must, in order to ensure processing is fair and in compliance with the first principle, give service users sufficient information where retention of personal data might exceed service users’ reasonable expectations.

An ICO spokesman said it has various enforcement action options it can take against Google if the company fails to amend its privacy policy by September 20 — including serving Google with an enforcement notice — “which is essentially a legal stop-now order… if they breach that it could be taken to the courts” — and also a monetary penalty of up to £500,000.

“That’s for serious breaches of the data protection act that cause, or have the potential to cause, substantial damage and distress,” the spokesman added.

The spokesman noted that its main areas of concern are “similar to those already raised by the French, Spanish and other data protection authorities also investigating this issue”. Back in April six European countries kicked off data protection investigations into Google’s unified privacy policy: France, Germany, Italy, the Netherlands, Spain, and the U.K. This means Google is facing enforcement action on multiple fronts in Europe.

“France has also put a legal order in place on its recommendations so if they don’t comply with ours by the 20th of September there will also be problems across Europe,” the spokesman added.

A Google spokesperson provided the following statement in response to the ICO’s action: “Our privacy policy respects European law and allows us to create simpler, more effective services. We have engaged fully with the authorities involved throughout this process, and we’ll continue to do so going forward.”