The European regulators have always had concerns over the combined privacy rules Google introduced across all of its services last year. Just over a year ago they invited CNIL “to take the lead in the analysis of Google’s new privacy policy,” and asked Google to delay its introduction of the policy. Google declined.
CNIL, on behalf of the Article 29 Working Party, sent Google a list of 69 questions. Google responded, but CNIL described the replies as ‘often incomplete’ and issued further questions. Google’s response this time was described as ‘unsatisfactory’, and on October 16, CNIL and the European regulators told Google what it would have to do to comply with EU privacy rules. Google was given four months to do so under threat of legal action.
Yesterday, four months and one day after the deadline was given, CNIL announced “that Google did not provide any precise and effective answers to [the regulators’] recommendations.” CNIL now plans to present an action plan against Google to the next Article 29 Working Party plenary meeting scheduled for February 26.
Meanwhile, Google told Bloomberg that it had responded by letter on January 8 to CNIL’s October requirements, listing changes already made to its privacy policy and requesting a meeting – but hasn’t had a response. “Our privacy policy respects European law and allows us to create simpler, more effective services,” it said. “We have engaged fully with the CNIL throughout this process and we’ll continue to do so going forward.”
Although CNIL is representing all of the European regulators in this affair, it is far from clear that it will be able to maintain a united front when it comes to action. For example, although CNIL issued its largest ever data protection fine (a ‘mere’ €100,000) against Google over the Street View affair, the UK’s ICO merely rebuked the company. Some European regulators cannot levy fines at all.
It is against this background of differing national laws that the European Commission has proposed a new and European-wide standard Data Protection Regulation to replace the existing 18-year old Data Protection Directive. Meanwhile, Google is separately awaiting a response from the EU competition authorities over its latest attempt to stave off anti-trust action over its dominance and practice in online search advertising in Europe.