On 2 April 2013, the Information Commissioner’s Office (“ICO”), which is responsible for enforcing the Data Protection Act 1998 (“DPA”) in the UK, issued a press release confirming that it has launched an investigation into whether Google’s privacy policy, which was revised in March 2012, is compliant with the DPA. The ICO’s decision to investigate Google follows on from an initial investigation led by CNIL, the French data protection authority.

The CNIL investigation was undertaken on behalf of the Article 29 Working Party, an advisory body that represents data protection authorities in the EU and of which the ICO is a member. CNIL published its findings in October 2012 in which it highlighted serious data protection compliance issues with many aspects of the revised Google privacy policy, principally in relation to provision of information, combination of data services and retention periods (click here for more details).

The ICO states in the press release that several data protection authorities across Europe are also now considering whether the revised privacy policy is compliant with their own national legislation but otherwise declines to provide any further details on its own investigation at this stage. However, if the ICO finds that Google’s privacy policy is in breach of the DPA then it may impose a range of sanctions including monetary penalties of up to £500,000 and, with potentially more serious consequences for Google’s business, enforcement notices requiring Google to amend its privacy policy to ensure compliance with the DPA.

Link to the ICO press release: http://www.ico.org.uk/news/latest_news/2013/ico-statement-investigation-google-privacy-policy-02042013