The Undertaking requires Google to address three of the ICO’s particular concerns: (1) the lack of easily accessible information describing the ways in which service users’ personal data is processed by Google; (2) the vague descriptions describing the purposes for which the personal data is processed; and (3) the use of insufficient explanations of technical terms to service users.
Google has a period of two years in which to implement these changes, and it must provide a report to the ICO by August 2015, specifying the steps Google has taken in response to the commitments set out in the Undertaking.
The ICO’s measures in response to Google’s breach of national data protection laws are much lighter than those take by other EU Member States. The data protection authorities in France (CNIL) and Spain (AEPD) have imposed fines of €150,000 and €900,000 respectively. Currently, the Dutch data protection authority is threatening Google with a €15 million fine (see our previous blog).