Led by the French data protection authority, CNIL, Europe disagreed. Earlier this year the Article 29 Working Party (comprising representatives from the data protection authorities of each of the EU's member states) selected six national authorities who would commence action against Google.
The ICO is one of these (CNIL has finished its own investigation and told Google to change its policy or face a fine of €150,000 – around £130,000). Now the ICO has completed an investigation and found that Google's updated privacy policy "does not provide sufficient information to enable UK users of Google’s services to understand how their data will be used across all of the company’s products."
Google must now amend the policy to make it "more informative for individual service users." Failure to do so by 20 September will leave the internet giant open to the "possibility of formal enforcement action.”
So far Google has insisted that it is operating within European laws and has given no sign of willingness to change. Indeed, it recently told Congress in the US that it had no intention of changing its policy. However, while the European Union is a market comparable in size to the US, it is if anything more important to Google (Search, for example, has a much larger share of the European market than the US market). It remains to be seen whether this concerted action by the data protection authorities in Europe will have any different effect.
The ICO believes it will. A spokesman told Infosecurity that it expects Google will comply with the instructions in its letter. However, this is potentially uncharted territory for the ICO. It has mostly been concerned with matters of fact – the theft or loss of data that is undisputed. It has never before been faced with a potential dispute with an international corporate with the financial muscle of Google.
If Google does not comply with instructions, the ICO spokesman told Infosecurity that the next step would probably be an enforcement notice (he said that it would unlikely be a fine, which in theory could be up to £500,000). If Google then defied or appealed the enforcement (it is, after all, insisting that it is already in conformance), it becomes a matter for the UK courts.
The question is how confident is Google. It has the financial ability to draft in legal resources that the ICO has never experienced; and the courts will have to decide. Here, however, the spokesman told Infosecurity, the potential sanction is not the ICO's £500,000 maximum, but unlimited fines. It is perhaps for this reason that the ICO is confident that Google will comply with its letter.
All that is not yet clear is to what extent Google will need to amend its existing policy to satisfy the ICO.