The Dutch data protection authority, College Bescherming Persoonsgegevens (CBP), released a cease and desist order requiring Google to pay €60,000 per day, up to a maximum of €15 million, for violating Dutch data protection law, Wet bescherming persoonsgegevens(Wbp). Google has until the end of February 2015 to change the way it handles personal data.

The order requires Google to carry out three measures:

  • Ask for “unambiguous consent” before it shares personal data of Internet users with its other services, such as Google Maps and YouTube, the video-sharing site
  • Make it clear to users that Google is the owner of YouTube
  • Amend its privacy policy to clarify what data is collected and how the data is used

While the CBP conceded that Google has “already taken measures in the Netherlands”, CBP Chairman Jacob Konstamm commented that “This has been on-going since 2012 and we hope our patience will no longer be tested.” Google has responded that “We are disappointed with the Dutch regulator’s orders, especially as we have already made a number of changes to our privacy policy in response to their concerns”.

The Dutch authority has also recently announced that it will now turn its attention to Facebook’s privacy policy. The order clearly shows that the national data protection authorities are not ready to give up their national jurisdiction and enforcement powers, and that they are individually and increasingly focussing on transparency to users of social media.