Google’s Unified Privacy Policy Draws Threat Of $15M Fine In The Netherlands

The national data protection authority in the Netherlands has warned Google that it could be fined up to $15 million if it does not make amendments to its privacy policy by the end of February 2015, to comply with Dutch data protection law .

Google’s January 2012 decision to combine the privacy policies of some 60 different products — in order for it to be able to gather more intel on webs users for targeting ads — quickly triggered a data protection review in October 2012, led the French data protection watchdog. That action was followed by individual investigations by multiple data protection watchdogs in Europe — with six member states, including the Netherlands, launching probes into Google’s handling of personal data in April last year.

The Dutch data protection authority, the CBP, has evidently run out of patience with Google. In a statement earlier this week, the CBP said it requires Google to gain unambiguous consent from users to combine multiple privacy policies across its products — specifying that this consent cannot be gained by a general agreement to a privacy policy but must be done “via a clear permission screen”.

Google must also clearly explain what personal data is being obtained by which of its services and for what purpose, and this information must be clearly and consistently conveyed in its privacy policy, it said.

The CBP is also concerned that YouTube be clearly labeled as a Google service — albeit the Dutch DPA notes that Google seems to have already taken action on this point.

Commenting in a statement, CBP president Jacob Kohnstamm said: “Google captures us in an invisible web of our personal information without telling us that and without asking our permission. This has been running since 2012 and we hope that our patience will no longer be put to the test.”

The CBP does add that Google has sent a letter to the six data protection authorities which launched reviews — namely France, Germany, Italy, Spain, the Netherlands and the U.K. — noting that the letters include details of a “large number of measures” aimed at addressing European privacy legislation compliance.

However the CBP said it has not yet determined whether Google’s proposed measures would resolve its privacy violations.

Responding to the Dutch threat of a fine a Google spokesperson told TechCrunch via email: “We’re disappointed with the Dutch data protection authority’s order, especially as we have already made a number of changes to our privacy policy in response to their concerns. However, we’ve recently shared some proposals for further changes with the European privacy regulators group, and we look forward to discussing with them soon.”