Earlier this year, we reported on Google’s announcement and implementation of its new privacy policy (click here for details).  Despite initial concerns voiced by the Article 29 Working Party, the appointment of the French data protection authority - CNIL to investigate Google’s policy’s compliance with the EU Data Protection Directive (95/46/EC) (the “Directive”), and its request that Google pause before introducing the policy in order to consult national regulators, Google introduced the policy on 1 March 2012.

CNIL has announced a press conference to publish the findings of its investigation later today.  As a result, it is expected that the Article 29 Working Party will criticise Google for not fully considering the data protection principles set out in the Directive and challenge it to comply with the principles and its own recommendations.

In its preliminary analysis of the policy, CNIL raised concerns that the general information provided in the policy did not satisfy Articles 10 and 11 of the Directive which require a purpose-specific wording to ensure transparency for account users.  It is expected that CNIL and the Article 29 Working Party will build on this assertion, arguing that the policy is not adequately clear about what categories of data Google processes, how the data are processed and the purposes for which they are processed.

In reference to Google’s combination and tracking of data across its (amongst others) Google+, Gmail, YouTube and Google Chrome platforms, CNIL is expected to criticise Google for not obtaining adequately explicit consent from users.  It may also go on to question whether a policy of collecting and combining such a vast amount of data is proportionate (as regulated by the Directive) or is simply in order to enable Google to monetise its search and advertising functions more effectively.  In other words, CNIL will say that the range of data is so broad that user consent cannot legitimise it. 

As a result of its findings, the Article 29 Working Party may recommend that Google revisit its privacy policy and provide clearer, more precise information to its users and account holders on how it uses data.  The Article 29 Working Party may also recommend that Google modify its various platforms to create new layers of opt-outs/opt-ins, inform users more clearly about how it combines data, their purpose and, potentially (and more radically), limit its combination of data.

In the face of changing approaches to data protection on both sides of the Atlantic, Google and other internet companies may also be concerned that other regulators will take note of CNIL’s findings and consider this in their forthcoming drafts of data protection regulation, for example the draft EU Data Protection Regulation (click here for details) and the United States' proposed Consumer Privacy Bill of Rights.  As global internet companies such as Google are increasingly able to analyse, store and transfer data across borders, regulators across the world are looking at ways of balancing the interests of user privacy with the realities of system operability, functionality and commerciality. 

The ruling will have repercussions for competition regulators too, as they may rely on it to argue that Google abused its market power in the browser segment of the market to strengthen its existence in adjacent markets.  The process of unpicking its privacy policy and data flows, and implementing further changes to its platforms and tools will not be attractive to Google.  Google has always provided its services free of charge on the basis that it must monetise data in order to maintain the service and make a profit.  Its new privacy policy provided a means of doing this more effectively.  However, though they may acknowledge this fact, the Article 29 Working Party, CNIL and consumer groups consider Google to be in a unique position of authority and wish to foster a sense of transparency and trust across the market and are making their position clear in this instance.