Six European privacy regulators to launch enforcement action against Google

This is the culmination of a year long investigation, starting in March last year. By October the regulators had concluded that Google’s privacy policy does not conform to European privacy regulations, and gave the search giant four months to come into compliance. Nothing changed, but Google asked for a meeting with the regulators. “On 19 March 2013, representatives of Google Inc. were invited at their request to meet with the taskforce led by the CNIL and composed of data protection authorities of France, Germany, Italy, the Netherlands, Spain, and the United-Kingdom,” announced CNIL in its statement yesterday. “Following this meeting, no change has been seen.”

The regulators patience is clearly exhausted. “Consequently,” continues CNIL, “all the authorities composing the taskforce have launched actions on 2 April 2013 on the basis of the provisions laid down in their respective national legislation (investigations, inspections, etc.)” The UK’s Information Commissioner is giving little away. “The ICO has launched an investigation into whether Google’s revised March 2012 privacy policy is compliant with the Data Protection Act,” it announced in a brief statement yesterday. “The action follows an initial investigation by the French data protection authority CNIL, on behalf of the Article 29 group of which the ICO is a member. Several data protection authorities across Europe are now considering whether the policy is compliant with their own national legislation. As this is an ongoing investigation it would not be appropriate to comment further.”

Whether either side will back down remains to be seen. Google insists that it operates within European laws. It is the operator of choice for European users (around 95% of European searches are via Google, while ‘only’ 65% of US searches use Google). The financial sanctions available to the regulators is limited. The UK can, for example, levy a fine of up to £500,000 – but has never done so. France’s CNIL can levy a fine up to €300,000 (“approximately the amount [Google] earns in three minutes, based on its projected revenue of $61 billion this year” comments Time) but has never done so. 

However, the regulators could impinge on Google’s ability to continue collecting user data – and that would hurt. It is at this point that things could change. Google will have to decide how confident it is that its privacy policy is lawful; that is, could it win an appeal in the courts? This would be uncharted territory for the regulators. So far, small companies have avoided appeals because of the cost; large companies have simply absorbed the fines with little effort and not bothered to appeal (which would cost more than the original fine).

“The question,” says Big Brother Watch, “is not whether action should be taken, but if the action that will be taken is really enough to force Google to change it’s ways.”

But Google could apply the corporate lawyers and financial muscle of a major international corporation to protect its business model – and that would be something new. The likelihood, however, is that at the eleventh hour a compromise will be found. Nick Pickles, director of Big Brother Watch, hopes not. “Just because Google is a big business does not put it above the law,” he said in a statement late yesterday. “The company has ignored the authorities and refused to make any meaningful changes to how it collects and uses people’s data.” Despite the popularity of Google, he believes that users are increasingly concerned over the potential abuse of their privacy. “It is essential regulators find a sanction that is not just a slap on the wrists and will make Google’s think twice before it ignores consumer rights again.”

What’s Hot on Infosecurity Magazine?