On 1 March, Google decided to change its privacy policy and terms and conditions of services to consolidate over 60 separate privacy policies across Google worldwide and replaced them with one single agreement 'that's a lot shorter and easier to read'.  Google claims that its new privacy policy reflects Google's desire to create 'one beautifully simple and intuitive experience across Google' (www.google.com/policies/).  

The move allowed the search giant to pool data from across multiple products and features, including use of its video site YouTube, social network Google +, Google Maps and Gmail, with a clear aim to let its advertisers access its users' data across its many services.  Google's updated privacy policy does not differ to those used by other large internet companies such as Microsoft and Facebook.

The EU data protection authorities voiced their concerns almost immediately, as they found that it does not appear to adhere to the EU's approach to data protection.  Given the numerous questions raised by these changes, the French information commissioner (known as CINL) lead an investigation into Google's new privacy policy on behalf of all EU’s national regulators.  Although Google has not been directly accused of acting illegally, it has been alleged of providing 'incomplete and approximate' details when replying to two successive questionnaires sent by the authorities to Google earlier this year, raising 'deep concerns about data protection and the respect of EU law'.

On 16 October and after studying Google's revised policy in depth, the EU privacy watchdogs sent a letter to the ‘leader in the online world’, requesting it to explain its intentions and methods for combining data collected from its various services and to give its users more control over how the information is compiled.  The authorities also proposed 12 'practical recommendations' and requested Google to modify its practices accordingly, including:

  • 'reinforce users' consent' by allowing them to choose under what circumstances and for purposes their data is combined, for instance by asking them to click on dedicated buttons;
  • offer a centralised opt-out tool allowing users to object their data to be combined for certain Google's services or purposes; and
  • adapt Google’s tools used for the combination of data so that it remains limited to the authorised purposes, e.g. by allowing the consumer simplicity to permit the collection of its data for security or targeted advertising.

Google has up to four months to either modify parts of its controversial privacy policy or challenge the EU regulators’ authority in court. Google has replied that it needs more time to provide a detailed response and insists that everything it does is in the interest of its users and remains confident that its privacy notices comply with EU data protection legislation.  If adopted, the recommendations could have consequences on some of Google's main businesses, which depend on consumer profiling for targeted advertising.

The regulators said that Google had enough time to accede and make some changes since originally warned earlier this year and had threatened with possible fines or legal actions unless Google takes action.  However, it remains uncertain whether CNIL will levy a fine on the company and whether other EU authorities will follow suit.

This is a ‘significant step in the mobilisation of EU authorities’ to enforce online privacy law, putting the consumers in control of their personal information and ensuring that large companies, such as Google, will not easily disregard their customers’ privacy in pursuit of greater profits.