On 2 April last, the Italian Data Protection Authority (“DPA”) has launched an investigation into whether Google’s revised March 2012 privacy policy is compliant with the Data Protection Law. This investigation has been started in the context of a coordinated action of the Data Protection Authorities of five other member states, including France, the UK, the Netherlands, Spain and Germany, and is the result of Google’s resilience to a first request, made by the EU DPA’s united within the Article 29 Working Party, to align the terms of its revised privacy policy with the principles of EU data protection legislation.

THE ARTICLE 29 INVESTIGATION OF 2012

In 2012 Google changed the privacy policy (“Privacy Policy”) and the terms that apply to most of its online services and applications. Namely, the new Privacy Policy merges many product-specific privacy policies and generalizes the combination of personal data across its services (e.g. Gmail, Google+, YouTube). The new policy has been effective since 1st March 2012. Google did announce the new Privacy Policy terms through an extensive advertising campaign, however did not engage into discussions with the EU DPA’s before implementing the new policy.

As a consequence, Google’s revised Privacy Policy attracted the attention of the EU DPAs, which in fact in March 2012 started to closely scrutinize the compliance of Google’s new Privacy Policy with the European Data Protection legislation (Data Protection Directive 95/46/EC and the ePrivacy Directive 2002/58/EC).

The French Data Protection Authority took the lead of such first investigation.

Google has collaborated with the Article 29 Working Party answering two questionnaires sent by the French Data Protection Authority respectively on 19 March and 22 May 2012. Google’s answers, however, were not deemed satisfactory and according to the Working Party indicated that Google did not endorse the key data protection principles of purpose limitation, data quality, data minimization, proportionality and the right of the data subjects to object to the processing. Moreover, the new Privacy Policy would show the absence of any limit concerning the scope of the collection and the potential uses of the personal data collected by Google. Additionally, the above mentioned investigations unveiled several legal issues with the new Privacy Policy and the general combination of personal data across all Google’s specific services and applications, such as Google Maps, Gmail, Google Calendar, Google Photos etc.

From the analysis of the above mentioned investigations and of Google’s answers, the Article 29 Working Party and the EU DAPs involved came to the conclusion that Google:

  1. provides incomplete and insufficient information to the users about the purposes and the categories of data collected. The purposes included in the Privacy Policy are not detailed enough and do not respect the principle of “limitation”. According to the Data Protection Directive 95/46/EC, in fact, it is not possible to collect generally personal data, but it is necessary for the data controller to inform accurately the data subjects about the specific scope and purposes of the processing. Regarding information on the categories of data that are processed by the services, they are too broad and do not indicate to the data subjects which kind of data are collected during a particular service and what data are combined between which Google’s services. Data subjects are, then, not in the position to fully understand which data and from which service are processed by Google. In this context data subjects are not able to freely use their right to object to the processing.
  2. combines data across its services, without the user’s direct knowledge. This combination of data is very broad, considering that it includes all the activities of data subjects on Google’s sites and the activities on third-party websites and the users are not aware of the exact extent of that combination. Consequently, no valid consent was given by users for such data combination (Google does not expressly ask the users’ consent for the combination of data), which do not have a direct knowledge of the purposes of these combinations and, consequently, their right to object is not guaranteed.
  3. fails to provide retention period for the personal data it processes. As we know, the EU Data Protection legislation ensure that personal data can be processed only for a limited period of time.

THE REQUESTS OF THE EU ADPs AND THE ARTICLE 29 WORKING PARTY OF OCTOBER 2012

On the basis of these findings, on 16th October 2012 the Article 29 Working Party sent Google a letter in which were listed several important recommendations Google should follow in order to allay the compliance concerns which surfaced during the investigation, giving Google 4 months to implement the changes requested. The Working Party, also encouraged Google to engage with EU Data Protection Authorities during the development of services with significant data protection implications.

The 4 month period passed and Google has not modified its Privacy Policy yet. Google’s representatives have met the EU Privacy Authorities on 19 March 2013 and, although their repeated willingness to comply with the European data protection legislation, no concrete initiatives have been carried out to date.

THE RESOLUTION TO INITIATE A PROCEEDING IN ORDER TO ESTABLISH COMPLIANCE WITH THE EU AND THE ITALIAN LEGISLATION

As a consequence of Google continuing non compliance with the Working Party’s recommendations, each of the DPAs actively involved in the first investigation (Privacy Authorities of Italy, France, Germany, United Kingdom, Holland and Spain) have therefore launched official investigations by way of parallel separate proceedings – which will nevertheless be coordinated very closely.

The Italian DPA has declared that this joint action of the European DPAs is meant to reaffirm the principle by which all companies – Google included – which process personal data of European citizens must respect the specific rules in force in the European Union established in order to protect citizens’ fundamental rights, as those related to the collection and the processing of personal data.

Unlike the first investigation conducted in 2012 by the Working Party, these new investigations might result in formal findings that Google has breached the data protection laws of the member states concerned and consequently in a binding order on Google to bring the infringement to an end and possibly in the imposition of fines.THE REQUESTS OF THE EU ADPs AND THE ARTICLE 29 WORKING PARTY OF OCTOBER 2012