Although Google may have escaped the FTC enquiry into the legality and fairness of its privacy policy with little more than a rap on the knuckles, the search giant is not completely out of the woods yet.
It is still facing sanctions over this side of the pond. EU watchdogs are now considering whether to take action against Google by the summer over the search engine’s current privacy policy.
Google changed its privacy policy in March, 2012, and combined data from across its sites so that it could target adverts more effectively at users. French privacy regulator, CNIL, viewed such changes as a ‘high risk’ to user’s privacy, and asked Google to revise its policy and to make what it considered to be necessary changes within 4 months. CNIL demanded these changes in October, but Google, as yet, has not carried them out, claiming that its privacy policy does not infringe EU law.
A spokesperson for CNIL told the press:
“Google did not provide any precise and effective answers. In this context, the EU data protection authorities are committed to act and continue their investigations. Therefore, they propose to set up a working group, led by the CNIL, in order to coordinate their reaction, which should take place before summer.”
Google, however, insists its actions were perfectly legal and that it did respect EU law:
“We have engaged fully with the CNIL throughout this process, and we’ll continue to do so going forward.” the firm told the BBC.
The EU data protection authorities made 12 recommendations in total. These were outlined in a letter signed by 24 of the EU’s 27 data regulators, following a nine-month investigation into Google’s data collection practices. Among the proposed changes were the following:
- Google must “reinforce users’ consent”. This could be done, it argues, by allowing its members to choose under what circumstances data about them was combined by asking them to click on dedicated buttons.
- Google should offer a centralised opt-out tool and allow users to decide which of Google’s services provided data about them.
- Google should adapt its own tools so that it could limit data use to authorised purposes. For example, it should be able to use a person’s collated data to improve security efforts but not to target advertising.
