Google To Be Punished In France For Failing To Pare Back Its Overreaching Privacy Policy

Google is facing sanctions in France after it failed to amend its privacy policy to comply with French data protection law within a timetable set out by the national regulator.  France’s data privacy regulator, the CNIL, said Friday it intends to initiate “a formal procedure for imposing sanctions” — which could include a fine — after a three-month deadline to comply with its requirements passed without Google making any changes.

Instead, according to the CNIL, Google waited until the last day of the compliance period to file a response in which it contested the watchdog’s reasoning. “[Google] has not complied with the requests laid down in the enforcement notice,” the CNIL said in a statement.

At issue is Google’s January 2012 decision to consolidate privacy policies across more than 70 different products into a single policy. Being able to knit together user-data across distinct products clearly adds more fire-power to products like Google Now which draw on a range of data-point to power reminders and generate recommendations for individual users.

But there are serious privacy implications in consolidating all that data too — and unsurprisingly, once Europe’s privacy regulators joined the dots on those implications, the unified policy drew wide-ranging criticism, with watchdogs calling for Google to give users more control over their data.

The recurring complaints coming from European regulators about the unified policy are that Google:

  • provides insufficient information to users regarding how it processes their data
  • has undefined or insufficiently defined data retention periods — with no clear retention periods for data related to users’ profiles
  • combines data in an unlimited way — reserving the right to combine data collected by its different services without limitation

France’s CNIL is one of six European data protection watchdogs that instigated national investigations into the privacy policy in April this year — invoking the threat of enforcement action should Google’s policy be determined to breach national law.

Then in July, the CNIL and the UK’s ICO formally asked Google to implement recommendations to ensure the policy complies with their respective national laws by September 20. It’s that failure to comply that has triggered sanctions in France.

The changes the CNIL had specifically asked Google to make to its privacy policy in France are to:

  • Define specified and explicit purposes;
  • Inform users with regard to the purposes of the processing implemented;
  • Define retention periods for the personal data processed;
  • Not proceed, without legal basis, with the potentially unlimited combination of users’ data;
  • Fairly collect and process passive users’ data ;
  • Inform users and then obtain their consent in particular before storing cookies in their terminal.

Update: A Google spokesperson provided TechCrunch with the following statement on the CNIL’s action: “Our privacy policy respects European law and allows us to create simpler, more effective services. We have engaged fully with the CNIL throughout this process, and we’ll continue to do so going forward.”

It’s not yet clear whether the ICO will follow the CNIL’s lead and also move to impose sanctions on Google. A spokesman for the watchdog told TechCrunch that it received a response from Google within the deadline period and is currently “considering it”.

The spokesman declined to give further details on the content of Google’s response.