France sets Google deadline for privacy changes

2226178289_a6d36a48dd_oThe French data protection authority, CNIL, has today announced that Data Protection Authorities from France, Germany, Italy, the Netherlands, Spain and the United Kingdom have respectively launched enforcement actions against Google.

The statement read:

“From February to October 2012, the Article 29 Working Party (“WP29”) investigated into Google’s privacy policy with the aim of checking whether it met the requirements of the European data protection legislation. On the basis of its findings, published on 16 October 2012, the WP29 asked Google to implement its recommendations within four months.

After this period has expired, Google has not implemented any significant compliance measures.”

We are not surprised. Since Google first implemented it’s privacy policy – in defiance of warnings that their privacy policy might be in breach of European law. Despite more than a year of negotiations the fact that no significant measures have been introduced by the company demonstrates a worrying lack of regard for regulators and privacy laws.

However, even if action is taken the sanctions available to regulators are not significant when compared to Google’s revenues – the maximum fine that could be levied by all the regulators totals less than $10 million, compared with Google’s revenue of $14 billion. There is a real danger that the company sees the fines as a cost of doing business, while enjoying the competitive advantage that it is able to collect information that its smaller competitors could not risk collecting.

This competitive advantage is a critical part of why, as we have argued, privacy and competition are interlinked – if a market is not working, and one company can capture a huge chunk of the market with a data-intensive business model, new entrants are forced to pursue a similar model. This is not a sustainable model and is leading to a race to the bottom of respect for user’s privacy. If consumers are to control their data, they need choice and that needs real competition – the market is failing to deliver choice in Europe and it is undermining privacy. We support the European consumer group BEUC’s views on this issue, who warned “It is important that the European Commission exercises its powers to sanction dominant companies who abuse their position to the detriment of consumer welfare.”

Google now must, within three months:

  • Define specified and explicit purposes to allow users to understand practically the processing of their personal data;
  • Inform users by application of the provisions of Article 32 of the French Data Protection Act, in particular with regard to the purposes pursued by the controller of the processing implemented;
  • Define retention periods for the personal data processed that do not exceed the period necessary for the purposes for which they are collected;
  • Not proceed, without legal basis, with the potentially unlimited combination of users’ data;
  • Fairly collect and process passive users’ data, in particular with regard to data collected using the “Doubleclick” and “Analytics” cookies, “+1” buttons or any other Google service available on the visited page;
  • Inform users and then obtain their consent in particular before storing cookies in their terminal.

We await to see if anything changes, and if these measures are not delivered then regulators should use the full scope of their powers to ensure people’s rights and privacy are respected.