French Data Protection Authority will Impose Sanctions on Google

Photo credit: Northfoto/
Photo credit: Northfoto/

The European Union's Article 29 Working Party (which comprises representatives of the member states' individual data protection authorities) had concluded that Google's consolidated privacy policy implemented on March 1, 2012, contravenes European data protection laws.

On June 20, 2013, CNIL announced that six of the DPAs, "France, Germany, Italy, the Netherlands, Spain and the United Kingdom have respectively launched enforcement actions against Google." CNIL, as the driving force behind the action, simultaneously gave Google formal notice to come into compliance with European law within three months.

The compliance notice made six specific requirements, including "define specified and explicit purposes" for the collection of personal data; "define retention periods for the personal data processed;" and "not proceed, without legal basis, with the potentially unlimited combination of users’ data."

But Google has not complied. In fact, said CNIL on Friday, "On the last day of the three-month time period given to Google Inc., the company contested the reasoning followed by the CNIL, and notably the applicability of the French data protection law to the services used by residents in France."

This is the same defense offered by Google against a separate UK action concerning Google subverting Safari's privacy settings. "Google has told British consumers taking legal action against it for privacy breaches that it does not have to answer to the English courts and that UK privacy laws don’t apply," announced the litigants' lawyers.

CNIL, however, is not persuaded. Google "has not implemented the requested changes. In this context, the Chair of the CNIL will now designate a rapporteur for the purpose of initiating a formal procedure for imposing sanctions, according to the provisions laid down in the French data protection law."

The European position that Google's new privacy policy is too confusing for users to understand, and are therefore unable to give informed consent, received surprise support from a US court last week. In that instance Judge Lucy Koh notes, "Google points to its Terms of Service and Privacy Policies, to which all Gmail and GoogleApps users agreed, to contend that these users explicitly consented to the interceptions at issue.The Court finds, however, that those policies did not explicitly notify Plaintiffs that Google would intercept users’ emails for the purposes of creating user profiles or providing targeted advertising."

In reality, the maximum fine that CNIL is able to impose is a mere €150,000 (just over $200,000) and will have little effect on Google. More worrying to Google, however, will be the effect on both European corporate and government customers faced with the clear declaration that Google is breaking European law.

What’s Hot on Infosecurity Magazine?