"Google spins an invisible web of our personal data, without our consent. And that is forbidden by law," says Jacob Kohnstamm, chairman of the DPA. He has not yet decided whether to take formal enforcement action, but has invited Google to attend a further hearing before that decision.
In its findings titled Investigation into the combining of personal data by Google, the DPA defines Google users as either authenticated (signed in with an account), unauthenticated (users of services such as Search that don't require an account) or passive (visitors to sites that deliver Google cookies). It then looked at these users in relation to four specific purposes for which Google collects and combines personal data: "the personalization of requested services, product development, display of personalized ads, and website analytics."
Google's basic arguments for the lawfulness of its data collection are that users imply consent to the collection of personal data, that it is necessary for the company's business model, and that the company provides adequate safeguards for users to protect their data (such as opt-outs and using the incognito browsing mode in Chrome). Throughout its investigation, however, the DPA concluded that Google failed to meet the underlying legal requirements of proportionality (legitimate, suitable, necessary and reasonable) and subsidiarity (the smallest degree necessary) when collecting personal data.
"Google has not demonstrated and this investigation has not shown that the investigated data processing activities relating to the combining of data about and from multiple services are necessary (i.e. meet the requirements of proportionality and subsidiarity)."
The DPA also points out that 'implied' consent is insufficient in Dutch law, which requires unambiguous consent. "There is no evidence," it says, "of unambiguous consent... since Google does not offer data subjects any (prior) options to consent to or reject the examined data processing activities."
Because of the lack of proportionality, subsidiarity and unambiguity, Google has no legal grounds for collecting personal data in the way that it does; and because of that, "the personal data collected by Google from all three types of users are not being collected for legitimate purposes (as being examined here), with the result that Google is acting in breach of the provisions of Article 7 of the Wbp in this respect as well."
The report's final conclusion for all three types of user and the four specified purposes is, "Google does not obtain unambiguous consent for the examined data processing activities and has no other legal grounds under Article 8 of the Wbp. For this reason, by combining data from and about multiple services for the four examined actual purposes Google is acting in breach of Article 8 of the Wbp."
Before deciding whether to impose enforcement of these findings, the DPA will hold a further hearing with Google. In response, a Google statement said, "Our privacy policy respects European law and allows us to create simpler, more effective services. We have engaged fully with the Dutch DPA throughout this process and will continue to do so going forward."