Google privacy policy breaks law, EU data chiefs say
By Benjamin Fox
Search-engine Google has been ordered to re-write its data collection rules after EU regulators found that they were in breach of EU data protection laws.
A letter to Google CEO Larry Page signed by 24 of the EU's 27 national data protection regulators said that the software-giant had "not demonstrated that your company endorses the key data protection principles of purpose limitation, data quality, data minimisation, proportionality and right to object."
Join EUobserver today
Become an expert on Europe
Get instant access to all articles — and 20 years of archives. 14-day free trial.
Choose your plan
... or subscribe as a group
Already a member?
The regulators, who collectively make up the Article 29 working party on data protection, also spelt out a 12-point plan for Google to comply with EU law on data protection and retention as well as the e-privacy directive.
These include requirements to get explicit consent from users to use and combine their data and create a simple opt-out mechanism for users. Google should also publish how it uses and processes personal data. However, they have steered clear of accusing the software-giant of intentionally breaking the law and of possible fines or other sanctions.
The report concludes a long-running investigation into Google's practices led by French data regulator CNIL starting in March over the ways that Google collects personal data.
Google changed its data collection practices in March after warning customers using its Gmail and Google+ network of the change. It had claimed that the new Privacy Policy, which allows the company to collect and combine data from any of its services, enabled it to improve the accuracy of its search results and targeted adverts and was not in breach of European law.
Following the announcement, Auke Haagsma, director of ICOMP, a group of software companies including Microsoft that campaigns against Google's dominant market status, told this website that the "unprecedented action by close to 30 privacy enforcement agencies all over Europe shows the severity of Google’s violations.”
“Google wants us to believe that enforcing the privacy laws will end the Internet as we know it, but the opposite is true. It is only if users’ trust that their personal data will not be collected and used against their wishes, that they feel confident enough to use all the important possibilities that the internet offers,” he said.
MEPs also lined up to launch broadsides against Google with MEPs Angelika Niebler and Philippe Juvin, who chair the centre-right EPP's working group on Internet policy, commenting that "Google must change its standards and raise them."
For his part, Belgian centre-left MEP Marc Tarabella, said that it was "unacceptable that European consumers are not clearly aware of what Google does with data inputted by them in good faith into the search engine."
Monique Goyens, director general of the European Consumer Organisation (BEUC), said that the investigation confirmed "our concerns that Google's privacy policy sits on the wrong side of EU data protection rules".
Google said it needs time to come with full response.
"We have received the report and are reviewing it now," said Peter Fleischer, Google's global privacy counsel.
"Our new privacy policy demonstrates our long-standing commitment to protecting our users' information and creating great products. We are confident that our privacy notices respect European law."
The ruling comes as the European Parliament prepares to enter negotiations on plans to overhaul EU data protection rules.
The reforms published by the European Commission in January include steps to increase people's control over their personal data, giving them the right to remove their data from company lists. It also tightens the rules on how companies can use data.