On 16 October 2012, the CNIL published its report on this matter, which has been endorsed by all of the EU member state data protection authorities (with the exception of Greece, Romania and Lithuania).
The report’s main findings were as follows:
Google failed to comply with the information requirement set out in Articles 10 and 11 of the Data Protection Directive by providing insufficient information to its users on its personal data processing operations. Under its current policy, a Google services user is unable to determine which categories of personal data are processed and the exact purposes for which this data is processed.
Combination of data services
The CNIL identified a total of eight different purposes for the combination of data across Google’s services; in four of those, the CNIL was unable to establish a valid legal ground for processing personal data (namely “consent”, “performance of a contract” or “legitimate business interests”) for the combination of data across services. In particular, the findings reiterated that Google could not rely on user consent in cases where the user is unaware of the exact extent of the combination of the data.
To comply with the Data Protection Directive, the CNIL recommended that where data combination requires a legal basis, Google should adopt a “privacy by design” approach (anonymisation, simple opt-outs and retention periods). Where data combination requires user consent, Google must seek the explicit consent of its users and make opt-out mechanisms available in one place.
Google was unable to provide information on a maximum or typical retention period for the personal data it processes. This in turn raised questions as to the effectiveness of the opt-out mechanisms and deletion actions requested by users.
The CNIL recommended that retention periods should be clearly defined, particularly in relation to deleting content, unsubscribing to a specific service and deleting users' accounts.
Online providers should note that the report’s findings have interpreted the existing data protection obligations under the Data Protection Directive in a relatively restrictive manner. The report has highlighted that privacy policies should be comprehensible, transparent and easily accessible to users. Moreover, online providers should ensure that any opt-outs of specific uses of personal data are easily locatable by users and should provide additional information to users about the use of any data that has a significant impact on the user’s privacy, such as location data, credit card data and unique device identifiers.