February 2012 will last as a milestone of an unprecedented fight between the Working Party 29, which comprises the European Data Protection Agencies, and Google.

Google has highly publicised the forthcoming launch of an integrated platform that is deemed to allow a better tracking of the user’s personal data and in particular to advertise with adds related to previous online searches of the user.  

The Working Party 29 had expressed concerns in the past weeks, in particular about the compliance of Google’s new integrated privacy policy – which shall replace, according to Google, more than 60 separate existing policies – with the European Data Protection Directive (95/46/CE).  

Because Google announced on February 3, 2012 that it would stick to the scheduled March 1, 2012 date for launch, the Working Party delegated to the French CNIL an in-depth analysis of the platform and the integrated privacy policy.  

On February 27, the President of the CNIL sent a letter to Google’s CEO Larry Page that, in another unprecedented move, has been published on the CNIL’s website.

The CNIL raises strong concerns both about the Privacy policy itself (1.), but more importantly about the interconnection of Google’s services throughout the integrated platform (2.).  

  1. Concerning the integrated Privacy Policy, the CNIL lacks the fact that the new Privacy Policy provides “only general information about all the services and types of personal data Google processes”, and adds that “as a consequence, it is impossible for average users who read the new policy to distinguish which purposes, collected data, recipients or access rights are currently relevant to their use of a particular Google service”.

Neither is the information about what Google will not do with the data (such as sharing personal data with advertisers) considered as sufficient in the CNIL’s valuation. The CNIL therefore considers that the integrated Privacy Policy shows a lack of transparency and comprehensiveness for users and concludes that it is not compliant with the EU Data Privacy Directive.

  1. Moreover, the CNIL raises important concerns about the platform itself, on two separate issues.

First, the fact that the integrated platform combines data across services raises the CNIL’s concerns since its preliminary investigation shows “that it is extremely difficult to know exactly which data is combined between which services for which purposes, even for trained privacy professionals”. Second, such combination being mainly done by using cookies, the CNIL raises the issue of the preliminary consent of the user provided in Article 5(3) of the revised ePrivacy Directive, and implemented under applicable French regulation. The CNIL concludes here also that it has, with the Working Party 29, “strong doubts about the lawfulness and fairness of such processing, and about its compliance with European Data Protection legislation”.  

The CNIL finally urges Google to “pause” the launch of the platform, announcing that it will fully address this question in the following weeks and send a questionnaire to Google, outlining that such questionnaire will also comprise “other related aspects of Google’s data processing activities”.

The fact that this strong warning is now issued directly by one of Europe’s most powerful and restrictive Data Protection Authorities shows doubtlessly an escalation in this matter, the CNIL having strong enforcement powers: it can fine non complying data controllers to up to 300,000 euros per offence.

Finally, this letter sets a strong warning signal showing the caution with which European Data Protection authorities are monitoring the development of “intelligent advertising”.