The war started on the 1st of March 2012 when Google changed the privacy policy and terms of service applying to most of its services.

The Article 29 Data Protection Working Party, led by the French Data Protection Authority, has immediately taken the field, carrying out an investigation to evaluate the compliance of Google’s new Privacy Policy with the EU Data Protection Law (Data Protection Directive 95/46/EC and the e Privacy Directive 2002/58/EC).

As a result of the inquiry, on the 16th of October 2012 the Working Party addressed a letter to the Mountain View company asking Google to implement some recommendations in order to comply with the European Data Protection legislation. In fact, Google’s Privacy Policy is not in line with the key data protection principles of purpose limitation, data quality, data minimization, proportionality and right to object.

The letter states that the new Privacy Policy, firstly provides insufficient information to its users (including passive users), especially on the purposes and the categories of data being processed. As a result, a Google user is unable to determine which categories of data are processed in the service he uses, and for which purpose these data are processed. Secondly, the new Privacy Policy allows Google to combine almost any data from any services for any purposes [... omissis ...] and for some of the purposes related to the combination of data and which are further elaborated in the appendix, Google does not collect the unambiguous consent of the user.Moreover, Google did not set any limits to the combination of data nor provide clear and comprehensive tools allowing its users to control it. Finally, Google failed to provide retention periods for the personal data it processes.

Therefore, the Working Party has encouraged Google to take the necessary steps to comply its privacy policy with the EU data protection laws and principles within four months.

Google did not implement the recommendations within the recommended timeframe, so the Data Protection Authorities of France, Italy, Germany, United Kingdom, Spain and the Netherlands, will start their own coordinated and simultaneous actions to establish the compliance of Google’s new Privacy Policy. In fact, “Google may not collect and process personal data from European citizens without taking account that specific rules are in place in the EU to protect citizens’ fundamental rights. The joint action by European DPAs is meant to reaffirm this principle and ensure that those rights are safeguarded “– stated the Italian DPA’s President, Mr. Antonello Soro.

Google immediately responded to the DPA’s action stating that its privacy policy respects European law and allows us to create simpler, more effective services”. We have engaged fully with the DPAs involved throughout this process, and we’ll continue to do so going forward.

The war continues.