«

»

French privacy regulator finds Google in breach of national law, as Spain and Germany close in.

google-france

By Simon Davies

The French privacy regulator CNIL has found Google to be in breach of national law and has given the company three months to comply. The ruling comes days after Sweden’s data protection authority issued a prohibition on public sector use of Google Apps.

These actions, combined, will create a considerable trust issue for Google. At stake is not only a potential fine of many hundreds of thousands of euros, but also the sustainability of public sector contracts throughout Europe.

The national authorities of Spain, Germany and Holland have also announced enforcement proceedings against the advertising giant.

These actions, combined, will create a considerable trust issue for Google. At stake is not only a potential fine of many hundreds of thousands of euros, but also the sustainability of public sector contracts throughout Europe. They also challenge the core viability of Google’s new privacy policy that allows the company to amalgamate all data from all products and services.

From February to October 2012, the Article 29 Working Party (“WP29”) investigated Google’s privacy policy with the aim of checking whether it met the requirements of European data protection legislation. On the basis of its findings, published on 16 October 2012, the WP29 asked Google to implement its recommendations within four months. However after this period had expired, Google had still not implemented any significant compliance measures.

Following new exchanges between Google and a taskforce led by the CNIL, the Data Protection Authorities from France, Germany, Italy, the Netherlands, Spain and the United Kingdom respectively launched enforcement actions against Google.

The investigation led by the CNIL has confirmed Google’s breaches of the French Data Protection Act of 6 January 1978, as amended which, in practice, prevents individuals from knowing how their personal data may be used and from controlling such use. This position parallels the Swedish decision prohibiting Google Apps.

In this context, the CNIL’s Chair has decided to give formal notice to Google Inc., within three months, to:

·        Define specified and explicit purposes to allow users to understand practically the processing of their personal data;

·        Inform users by application of the provisions of Article 32 of the French Data Protection Act, in particular with regard to the purposes pursued by the controller of the processing implemented;

·        Define retention periods for the personal data processed that do not exceed the period necessary for the purposes for which they are collected;

·        Not proceed, without legal basis, with the potentially unlimited combination of users’ data;

The actions also challenge the core viability of Google’s new privacy policy that allows the company to amalgamate all data from all products and services.

·        Fairly collect and process passive users’ data, in particular with regard to data collected using the “Doubleclick” and “Analytics” cookies, “+1” buttons or any other Google service available on the visited page;

·        Inform users and then obtain their consent in particular before storing cookies in their terminal.

CNIL’s public statement says: “This formal notice does not aim to substitute for Google to define the concrete measures to be implemented, but rather to make it reach compliance with the legal principles, without hindering either its business model or its innovation ability.”

“If Google Inc. does not comply with this formal notice at the end of the given time limit, CNIL’s Select Committee (formation restreinte), in charge of sanctioning breaches to the French Data Protection Act, may issue a sanction against the company.”

The Data Protection Authorities from Germany, Italy, the Netherlands, Spain and the United Kingdom will continue their investigations under their respective national procedures and as part of an international administrative cooperation.

These regulators have made progress on their investigations:

·        The Spanish DPA has issued Google its decision today to open a sanction procedure for the infringement of key principles of the Spanish Data Protection Law.

·        The UK Information Commissioner’s Office is considering whether Google’s updated privacy policy is compliant with the UK Data Protection Act 1998. ICO will shortly be writing to Google to confirm their preliminary findings.

·        The Data Protection Commissioner of Hamburg has opened a formal procedure against the company. It starts with a formal hearing as required by public administrative law, which may lead to the release of an administrative order requiring Google to implement measures in order to comply with German national data protection legislation.

·        As part of the investigation, the Dutch DPA will first issue a confidential report of preliminary findings, and ask Google to provide its view on the report. The Dutch DPA will use this view in its definite report of findings, after which it may decide to impose a sanction.

·        The Italian Data Protection Authority is awaiting additional clarification from Google Inc. after opening a formal inquiry proceeding at the end of May and will shortly assess the relevant findings to establish possible enforcement measures, including possible sanctions, under the Italian data protection law