All of the regulators who have so far returned a decision have fined Google either at or close to the maximum they are allowed to levy. The UK has so far merely written to Google, saying “Google must now amend their privacy policy to make it more informative for individual service users. Failure to take the necessary action to improve the policies compliance with the Data Protection Act by 20 September will leave the company open to the possibility of formal enforcement action.” Although it is now three months beyond that deadline, the ICO told The Register last week, our "investigation is still ongoing." The decisions from Italy and Germany are still awaited, but Germany is in particular expected to levy a larger fine.
Spain found that Google breaches its data protection laws in three specific areas, and fined Google €300,000 on each count. Firstly, Google does not make it sufficiently clear that it filters Gmail users' emails and attachments for targeted advertising purposes. "Where Google does inform it uses vague terminology, with generic and unclear expressions that prevent users from knowing what they really mean," says a statement from the Spanish Data Protection Agency (AEPD).
Secondly, Google stores and maintains user data for an indeterminate and unjustified period, "thereby contravening the legal mandate to cancel data when it ceases to be necessary for the purpose which determined its collection."
Thirdly, Google hinders – sometimes preventing – users' right of access, correction, cancellation and opposition to that collected data. "The procedure that citizens have to follow to exercise their rights or to manage their own personal information," explains AEPD, "requires them to access to an undetermined number of web pages, scattered in several links, that are not available for all types of users and, occasionally, with denominations that do not always refer to its real object."
These findings were inevitable since the Article 29 Working Party had already concluded such. All that was realistically left to the six countries taking enforcement action is what they would do about it. For its part, Google has continually maintained that it adheres to European laws and cooperates with the national regulators. It says it will give a more detailed response once it has seen the full report.
It has frequently been pointed out that the maximum fines available under European law would hardly trouble the revenue of Google. However, it is not simply a case of paying the fine and carrying on – further sanctions could be made in the future if Google defies the rulings to come into conformance. Furthermore, if the GDPR actually becomes law, either during 2014 or the following year, the potential for a fine based on global turnover would certainly hurt Google. Google's problem then would be that the arguments have already been made; Europe has already decided that it breaks current data protection legislation.