“Google has a few months, three or four months, to comply. If it takes no action, we will enter a phase of litigation,” said the head of France’s CNIL data protection agency, which took a lead role in a European investigation.
At the time Google said the move would make its privacy policies simpler and easier to understand. Users were given the options of either accepting the new regime or deleting their Google accounts.
The CNIL led an investigation into the policy by data agencies from all 27 European Union member states, including Britain’s Information Commissioner, and on Tuesday presented its conclusions at a press conference in Paris.
In a joint letter to Google made public ahead of the conference, the agencies wrote that the US firm “provides insufficient information to its users, especially on the purposes and the categories of data being processed.
“As a result, a Google user is unable to determine which categories of data are processed in the service he uses, and for which purpose these data are processed,” it said.
CNIL president Isabelle Falque-Pierrotin said that “we now demand adjustments” to the policy, failing which “authorities in several countries can take action against Google”.
She added however that such action would be taken on a national and not an EU level.
In order to avoid sanctions, CNIL said Google must “reinforce users’ consent”, such as by asking for permission to combine data from different services and offering a central “opt-out” tool to increase their control over how they are monitored.
“Under EU data protection law, such consent must be specific, informed and voluntary,” said Philip James, a data protection lawyer at Pitmans.
TAKE IT OR LEAVE IT DEAL – MEANS CONSENT IS INVALID **KEY CONCEPT
“Since the use of the pool of data is likely to have been outside consumers’ expectations when they first signed up to a service, coupled with the ‘take it or leave it deal’, namely that users must either consent or lose their accounts, means that the consent may be invalid.
“Accordingly, Google may have a regulatory barb in its mouth which may prove difficult to extract.”
Critics have argued that Google’s new policy gave it unprecedented ability to monitor its hundreds of millions of users. The firm said the changes are designed to improve the user experience across the various Google products, and give it a more deeper view of its users’ interests to help make advertising more “relevant”.
Nick Pickles of the privacy campaign group Big Brother Watch said that in pooling data Google had made it harder for consumers to learn how they are monitored online.
“It’s absolutely right that European regulators focus on ensuring people know what data is being collected and how it is being used,” he said. “Unless people are aware just how much of their behaviour is being monitored and recorded it is impossible to make an informed choice about using services.”
“This ruling is an important step to putting consumers in control of their personal information and ensuring that companies like Google are not able to easily disregard people’s privacy in pursuit of more information and greater profits.”