Six European countries are stepping up the heat on Google to comply with the continent’s strict privacy policies, a year after the company announced that it had merged its data collection for some 60 of its applications.
Led by France, the six regulators are saying that Google has refused to change its policy despite repeated requests to do so. Joining France in the probe are Germany, Great Britain, Italy, The Netherlands, and Spain.
Last year, Google consolidated 60 privacy policies into one, prompting the European regulators group, known as Article 29, to investigate whether that change violated privacy laws. In its October 2012 report, a working group representing 27 European countries found cause for concern and asked for Google to respond by February. It was the first time all 27 regulators acted in concert against a company, Gwendal Le Grand, head of the IT experts department at French regulator CNIL, said in an interview.
Google met with the regulators group in March in a closed-door meeting. There, company officials said they believe they answered all outstanding questions. After that meeting, though, six countries say they are not satisfied with Google’s answers and they will take their investigation to the next level, indicating they believe there is enough evidence to prove the company is violating country laws. Le Grand said it’s likely other nations may join. Because there is no EU-wide law—the European Commission is currently discussing one—the regulators must conduct the next phase of their investigations in concert but individually.
CNIL, on behalf of the Article 29 members, expressed concern over how Google shares the data collected on users between such ubiquitous services as YouTube, Gmail, Google calendar, and the social network Google+. Specifically, the regulators want Google to give more control to netizens over how their data is used. They would like the company to allow users to opt out of data collection if they choose, in accordance with many European country laws. They add that Google should adapt its tools to ensure the data is maintained solely for authorized purposes.
Google says its policy does comply with all European regulations.
“Our privacy policies respect European law and allows us to create simpler, more efficient services,” said Al Verney, a spokesman for Google in Brussels. Google has been “thoroughly engaged” with authorities in resolving any outstanding issues, he added.
If the company is found guilty of violating national privacy laws, Google could be fined by each individual country. In France, that would mean up to 150,000 euros for a first offence. In Britain, the highest penalty would be 500,000 pounds. CNIL already has fined Google once before, when the search giant inadvertently collected data on private households when it was setting up Street View in France.
“Compared to Google’s annual turnover, 150,000 is nothing,” Le Grand said of potential fines, but for a publicly held company, fines are meaningful. “If users are aware Google had a fine before, it could have an impact on their trust.”
EU policymakers are currently debating a law in which violators of privacy laws could be fined up to 2 percent of their total annual revenues.
Although Google is the first company to be singled out for possible violations, it may not be the last. Article 29 is also investigating Microsoft’s privacy policies; data protection authorities in Ireland have been looking into Facebook’s data collection as well.
In a blog post on Reuters, privacy lawyers Craig Blakeley and Jeff Matsuura point out that the European governments’ investigation of Google’s practices may have global significance, because European regulators appear to be attempting to sway the world to their views on privacy.
If successful, European enforcement could alter the standard privacy practices of the major online service providers in other jurisdictions, including the United States. The European initiative could thus make it easier for the U.S. and other countries to expand their privacy requirements.
The EU has long been a global leader in privacy protection. The current effort to coordinate European national privacy enforcement efforts is another example of that leadership. Consumers in Europe and around the world may ultimately benefit from the emphasis European authorities place on protection of the privacy of personal information.
The French regulator agreed that Europeans view data protection differently than other societies.
“It is in the European culture to think about the protection of the private individual,” Le Grand said.
Disclosure: CJR has received funding from the Motion Picture Association of America (MPAA) to cover intellectual-property issues, but the organization has no influence on the content.