EU agencies: Google’s new privacy policy breaks the law

eu outlining personal data protection rules viviane reding  justice commissioner

As Google’s implements its new privacy policy and scoops together user activity across dozens of formerly-separate Google services, European regulators are increasingly lining up against the change, claiming the policy shift violates European data protection laws. France’s data protection watchdog agency CNIL (Commission Nationale de l’Informatique et des Libertés) has published an analysis that finds Google’s new privacy policy does not meet the requirements of the new European Data Protection Directive, and the agency will be launching an EU-wide investigation. CNIL may have a powerful backer in European Justice Commissioner Viviane Reding, who in an interview with BBC Radio Four outright slammed Google’s new privacy policies for lack of transparency and consent.

Google’s new “simplified” privacy policy consolidates about 60 separate privacy policies for separate Google services into a single, consistent document. However, rather than merely coalescing the terms into a single location, Google is also broadly sharing user data across services, so that a users’ actions in one service can be shared with other Google platforms, like YouTube, Google+, and Blogger. Google’s primary interest in doing this is to more accurately target advertising at users.

Google has repeatedly indicated it believes its new policy complies with European law, and refused to delay implementation of the new policy so regulators could conduct a review.

Speaking with BBC Radio Four, Reding noted that it would have been impossible for Google to roll out its new privacy policy under a newly-proposed data protection framework she introduced in January. “Protection of personal data is a basic rule of the European Union. It is inscribed in the treaties. It is not an if, it is a must,” Reding said.

When asked what about Google’s new policy could violate EU law, Reding replied: “In numerous respects. One is that nobody had been consulted, it is not in accordance with the law on transparency and it utilizes the data of private persons in order to hand it over to third parties, which is not what the users have agreed to.”

Reding acknowledged that gathering and use of personal information about users is at the core of many Internet businesses that earn money via advertising. However, she also lamented that online businesses seem to be ignoring basic data protection rules in the EU. “Illegality is taking over,” she noted.

CNIL says that by combining user data across its services, Google “makes it impossible to understand which purposes, personal data, recipients, or access rights are relevant to the use of a specific service,” which would be in violation of the European Data Protection Directive. CNIL plans to send Google a series of questions regarding its inquiry by mid-March. Google has indicated it is willing to address any concerns from CNIL.

CNIL previously fined Google in France for privacy violations surrounding its Street View service and Latitude geo-social application.