On 16 October 2012, the EU Data Protection Authorities (“Authorities”) issued their findings and recommendations following an in-depth, CNIL-led, investigation into Google’s revised Privacy Policy, which went live on 1 March 2012.  In a covering letter to the main findings, the Article 29 Working Party representing the Authorities has asked Google to respond to the CNIL to indicate how, and within what timeframe, it will update its privacy policies and practices to implement these recommendations.  The letter also challenges Google to commit to the key data protection principles of purpose limitation, data quality, data minimisation, proportionality and the right to object.

In summary, the CNIL investigation recommends that Google provides clearer information to its users, especially on the purposes and categories of data processed.  Secondly, it raises concerns over the combination of data across services and asks Google to offer its users improved control in this area.  Finally, it recommends that Google should clearly define its retention periods for the personal data it processes.   In the public presentation of the report, CNIL’s president, Isabelle Falque-Pierrotin, suggested that if Google did not act on these recommendations, then litigation from the Authorities may follow. 

Google is considering its response to the report, and Larry Page has defended its necessity for creating new products for its users.  Pro-privacy groups have welcomed it, while other parties have questioned whether the Authorities have been too soft on Google by merely making recommendations.  The second round of this particular privacy battle is awaited with interest on all sides.