Google fined €150,000 by French Data Protection Authority

4249731778_c071fcb365_oThe French data protection authority, CNIL, has announced that it has issued a €150,000 fine to Google after finding that its privacy policy does not comply with the French Data Protection Act. CNIL has also demanded that post a warning on its home page warning that the companies unified privacy policy from 1 March 2012 does not comply with French law.

It is absolutely right that regulators have the tools to bring multinational companies to task, yet there are concerns that regulators do not yet have the powers that they need to have a real effect. Trivial financial penalties are at risk of being seen as the cost of doing business, rather than a meaningful sanction. Whether consumer notices, restriction on public sector contracts or interpreting each user affected as an individual breach, regulators need to think long and hard about how they resolve this situation to ensure users privacy is respected and the law upheld.

There is clearly an appetite for regulators to do more to protect our privacy online. Our 2013 Global Attitudes to Privacy Online survey highlighted that 79% said they are concerned about their privacy online, whilst 41% said consumers are being harmed by big companies gathering large amounts of personal data for internal use. Consequently, 65% of consumers believed that national regulators should do more to force Google to comply with existing regulations concerning online privacy and the protection of personal data.

The fine of €150,000 issued by CNIL is the largest issued by the Committee to date. CNIL has also justified its demand that Google post the warning because of “the extent of Google’s data collection, as well as by the necessity to inform the persons concerned who are not in a capacity to exercise their rights.”

The response from Google has been somewhat noncommittal, stating: “We’ve engaged fully with the CNIL throughout this process to explain our privacy policy and how it allows us to create simpler, more effective services. We’ll be reading their report closely to determine next steps.”

CNIL has not challenged the legitimacy of Google simplifying and merging its privacy policies. However, it did consider that the conditions under which the single policy has been implemented are contrary to several legal requirements:

• The company does not sufficiently inform its users of the conditions in which their personal data are processed, nor of the purposes of this processing. They may therefore neither understand the purposes for which their data are collected, which are not specific as the law requires, nor the ambit of the data collected through the different services concerned. Consequently, they are not able to exercise their rights, in particular their right of access, objection or deletion.

• The company does not comply with its obligation to obtain user consent prior to the storage of cookies on their terminals.

• It fails to define retention periods applicable to the data which it processes.

• Finally, it permits itself to combine all the data it collects about its users across all of its services without any legal basis.

These conclusions are similar to those laid down by the Dutch and Spanish Data Protection Authorities in November and December 2013 on the basis of their respective national laws.

Online privacy is a global issue of real importance to people and the overwhelming message is that citizens do not feel their authorities are doing enough to the desire of large companies to collect vast amounts of data on them. The move by CNIL to fine Google and force them to issue a consumer warning on its home page is clearly a step forward in protecting consumers’ privacy online. However, whether it will have any impact on Google and their stance on their privacy policies in the future is yet to be seen.