CNIL has announced a press conference to publish the findings of its investigation later today. As a result, it is expected that the Article 29 Working Party will criticise Google for not fully considering the data protection principles set out in the Directive and challenge it to comply with the principles and its own recommendations.
In its preliminary analysis of the policy, CNIL raised concerns that the general information provided in the policy did not satisfy Articles 10 and 11 of the Directive which require a purpose-specific wording to ensure transparency for account users. It is expected that CNIL and the Article 29 Working Party will build on this assertion, arguing that the policy is not adequately clear about what categories of data Google processes, how the data are processed and the purposes for which they are processed.
In reference to Google’s combination and tracking of data across its (amongst others) Google+, Gmail, YouTube and Google Chrome platforms, CNIL is expected to criticise Google for not obtaining adequately explicit consent from users. It may also go on to question whether a policy of collecting and combining such a vast amount of data is proportionate (as regulated by the Directive) or is simply in order to enable Google to monetise its search and advertising functions more effectively. In other words, CNIL will say that the range of data is so broad that user consent cannot legitimise it.
In the face of changing approaches to data protection on both sides of the Atlantic, Google and other internet companies may also be concerned that other regulators will take note of CNIL’s findings and consider this in their forthcoming drafts of data protection regulation, for example the draft EU Data Protection Regulation (click here for details) and the United States' proposed Consumer Privacy Bill of Rights. As global internet companies such as Google are increasingly able to analyse, store and transfer data across borders, regulators across the world are looking at ways of balancing the interests of user privacy with the realities of system operability, functionality and commerciality.