The French, Italian, British, German, Spanish and Dutch Data Protection Authorities announced on April 2, 2013 that each will launch investigations and enforcement actions against Google on the grounds that its privacy policy is not compliant with the European Directive on Data Protection, available at http://eur-lex.europa.eu/en/index.htm, (the “Directive”).

The first year of existence of Google’s new privacy policy has been eventful

Google’s new privacy policy has been under the scrutiny of the European Data Protection Authorities since its launch was announced by Google at the end of January 2012.

The Article 29 Working Party, whose members are the Data Protection Authorities of the 27 Member States, immediately expressed concerns about the compliance of Google’s privacy policy with the European Directive on Data Protection, and requested in February 2012 that Google delay the implementation of the new policy, which Google refused (which we blogged about here: http://privacylaw.proskauer.com/2012/03/articles/online-privacy/googles-new-privacy-policy-being-scrutinized-by-the-french-data-protection-authority

The French Data Protection Authority (CNIL) took the task of reviewing and assessing Google’s privacy policy on behalf of all European Data Protection Authorities. After several months of exchanges between the CNIL and Google, the Article 29 Working Party rendered in October 2012 its findings and requested that Google make changes to its privacy policy: http://ec.europa.eu/justice/data-protection/article-29/documentation/other-document/files/2012/20121016_google_privacy_policy_recommendations_cnil_en.pdf

The findings of the European Data Protection Authority on Google’s Privacy Policy

Google’s new privacy policy unified more than 60 different privacy policies across Google’s services and apps under one single privacy policy that covers almost every Google product and service. In addition, it allowed Google to combine data collected in every service into a single detailed user profile. To give an example, if a user searches for cooking recipes through the Google search engine, Google can use this information to suggest cooking videos on YouTube!.

The Article 29 Working Party determined that Google’s privacy policy does not comply with the Directive’s obligation to precisely inform the user of the type of data collected, its purposes and its recipients because the policy is too general. As a result, a user is unable to determine which categories of data are processed in the service that is used and for which purpose they are processed. In addition, the Article 29 Working Party stated that the combination of data requires the unambiguous consent of the user and that this large combination of data is disproportionate and creates high risks to the privacy of the user. Finally, Google has not specified the retention periods for the data it processes, in breach of the Directive.

National Enforcement Actions in Six EU Countries

Google decided not to implement the Article 29 Working Party’s recommendations.

Following a meeting with Google on March 19,, 2013 the national Data Protection Authorities of 6 of the 27 EU Member States announced that each will launch investigations and enforcement procedures against Google. Unlike the initial assessment phase that was coordinated by the CNIL on behalf of the other EU authorities, these investigations and enforcement procedures are not being jointly pursued. Indeed, each national Data Protection Authority has its own procedures, powers and sanctions.

Although the authorities have announced that they will cooperate together, Google will nevertheless face six distinct national procedures, and should they result in divergent decisions, there is no system to reconcile them. One goal of EU data protection reform is to establish a new system of supervision when data processing has an EU-wide impact. Under the proposition for a new EU data protection regulation made by the European Commission in January 2012 [http://ec.europa.eu/justice/data-protection/document/review2012/com_2012_11_en.pdf] and currently under review before the European Parliament, only the  Data Protection Authority of the EU country where the company has its main establishment would be in charge of taking legally binding decisions against a non-compliant company (one-stop shop). In addition, mandatory cooperation between national authorities, as well as a consistency mechanism at the EU level, would be implemented to ensure consistency across investigations and enforcement procedures.