Google’s March 2012 Privacy Policy has never been well-received in the EU, and after waiting for Google to change its Privacy Policy the EU now plans to take action. The CNIL (Commission nationale de l’informatique et des libertés) announced on April 2, 2013 that 6 EU states have launched coordinated enforcement actions. These 6 EU states are France, Germany, Italy, the Netherlands, Spain, and the United-Kingdom, but each EU state must pursue their own action and seek fines.

CNIL is the French data protection agency which “…is responsible for ensuring that information technology remains at the service of citizens, and does not jeopardize human identity or breach human rights, privacy or individual or public liberties.”

In October 2012 the CNIL sent a letter which included this statement about the Google’s response to the EU’s inquiry:

Google’s answers have not demonstrated that your company endorses the key data protection principles of purpose limitation, data quality, data minimization, proportionality and right to object. Indeed, the Privacy policy suggests the absence of any limit concerning the scope of the collection and the potential uses of the personal data.

The letter included these three legal issues:

  • Firstly, the investigation showed that Google provides insufficient information to its users (including passive users), especially on the purposes and the categories of data being processed.
  • Secondly, the investigation confirmed our concerns about the combination of data across services.
  • Finally, Google failed to provide retention periods for the personal data it processes.

However in the April 2nd announcement the CNIL stated that “Google has not implemented any significant compliance measures.” It will be interesting to see the outcome and its impact on Google and privacy.