The potential financial penalty is nowhere near as disturbing to Google as the clear statement from France that it is breaking the law. CNIL is only able to levy a fine of up to 150,000 euros ($201,100) and a second of 300,000 euros if Google still fails to respond: CNIL’s bark is clearly worse than its bite.
This is the first tangible result of an investigation into Google’s privacy policy by EU regulators that started in February 2012. CNIL, leading the investigation, has never been in any doubt that Google’s aggregation of around 60 separate privacy policies into just one overall policy broke European laws. Acting on behalf of the Article 29 Working Party (a group representing the data protection regulators from every member state within the EU), CNIL asked Google to come into compliance.
For its part, Google has continuously maintained that it operates within the law, and will co-operate with any investigation – but has changed nothing. The Article 29 group eventually lost patience. At the beginning of April 2013 it announced that six European regulators, from France, Germany, Italy, the Netherlands, Spain, and the UK, would commence enforcement action against Google.
This is the first result of those actions. Google is instructed to define and explain how it uses personal data; specify how long that data is retained and ensure that it is not retained beyond the period necessary for the purposes of its collection; not to proceed, ‘without legal basis’, in the collection of data; to fairly ‘collect and process’ data collected via DoubleClick and Google Analytics, and via the ‘+1’ button; and to obtain consent before storing cookies on users’ terminals.
The remaining five enforcement actions are still works in progress, and may or may not lead to additional sanctions. Germany, for example, has already fined Google over its Street View project while the UK simply instructed the company to stop collecting personal data.
Jeff Gould, President of SafeGov, a US-based non-profit organization that promotes safe and secure computing solutions in the public sector, calls it a welcome first step. But he believes “the combination of user data goes far beyond individual consumers,” and is concerned that non-consumer users of Google’s services, such as employees, civil servants, patients or schoolchildren, who aren’t able to individually consent to or opt-out of data processing practices, remain at risk of intrusive online tracking. “We urge Europe’s data protection authorities,” he adds, “to continue their quest to protect all citizens against undue invasion of their privacy.”
Nick Pickles, Big Brother Watch director, is also pleased with the outcome but somewhat doubtful over its effect. “This case is a significant test of how strong the laws are to protect our privacy in an internet age. Fines totaling a few million dollars will hardly trouble a multi-billion dollar empire and it's essential that action does force the company to respect our privacy and put users' rights before the demands of its advertising customers.”