France, Spain, U.K. Open Privacy Enforcement Actions Against Google

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Rick Mitchell (Paris), Brett Allan King (Madrid), Ali Qassim (London)  

 

Google Inc. is facing aggressive data protection enforcement action by European Union data protection authorities in France, Spain, and the United Kingdom.

France and Spain June 20 issued enforcement orders related to changes Google made to its privacy policies in 2012.

Meanwhile in the United Kingdom, the Information Commissioner's Office June 21 took action on Google's collection of wireless internet content data during its Street View mapping project.

France Sets Three-Month Deadline

The French data protection authority (CNIL) June 20 made public an order to Google to modify its controversial servicewide privacy policy to comply with French data protection law within three months, or face possible penalties.

In January 2012, Google announced it would share, and track, user information across its email, social networking, YouTube, search engine, and other services, as part of a plan to integrate its 60 privacy policies into one policy (11 PVLR 189, 1/30/12).

The company launched the policy change March 1, 2012, despite a letter from the Article 29 Working Party of data protection officials from the 27 EU member states urging the internet giant to change the policy (11 PVLR 426, 3/5/12).

The action is based on an investigation into the company's unified privacy policy by a six-nation task force led by the CNIL at the request of the Art. 29 Party.

The June 10 enforcement order details how Google's policy allegedly violates France's 1978 framework Law on Information Technology and Liberties (78-17, updated in 2011).

In February the CNIL said Google Inc. had passed a four-month deadline imposed by EU data protection authorities to commit to revising its single privacy policy and could face sanctions before summer (12 PVLR 332, 2/25/13).

The document lists six areas in which the CNIL said the U.S.-based company must make changes to bring the policy into compliance with the law by September.

The CNIL demanded that Google:

• specifically and explicitly define the purposes for collecting and processing user personal data;

• effectively and explicitly inform users for what purposes their data are processed;

• define personal data retention periods not exceeding a duration necessary for the stated purposes;

• either obtain informed consent from users to combine their personal data, or comply with one of five listed legal conditions;

• fairly collect and process passive users' data, in particular with regard to data collected using the “DoubleClick” and “Analytics”cookies, “+1”buttons, or any other Google service available on the page visited; and

• obtain informed user consent to store cookies on their terminals.

 

Spain's DPA Warns of Fines Up to $2 Million

In Spain, the data protection authority (AEPD) June 20 announced it had opened sanctions proceedings against Google Spain and Google Inc. over its privacy policy for several potential violations of the Spanish Data Protection Act (LOPD, Organic Law 15/1999).

“The commencement of this procedure comes in the aftermath of preliminary AEPD investigations, which have made it possible to confirm the existence of several indications of infringement,” the AEPD said in a statement.

According to the AEPD, the procedure will attempt to “clarify” the results of the investigations initiated in April, which point to:

• “disproportionate” use of user data, given that the company’s privacy policy “warns users that it may use collected data without limit in all its services, present or future”;

• failure to adequately inform data subjects on how and why their personal data will be used, with the gathering of data for one purpose potentially leading to the illegitimate handling of data for another end;

• personal data storage for “indeterminate or unjustified” time periods, when the LOPD requires that data be cancelled once no longer relevant or necessary for their original purpose; and

• hampering users’ ability to exercise their rights to access, rectify, cancel, and oppose information held about them.

 

The AEPD tends to determine infringement in an agency resolution, issuing fines in accordance with the gravity of the offense. In total, the potential infringements would represent five serious violations of the LOPD, as well as one minor infraction, leading to total maximum fines of up to €1.54 million ($2 million), the AEPD said.

Other DPA members of the original six-member task force from Germany, Italy, the Netherlands, and the United Kingdom are still contemplating what kind of specific enforcement action to pursue against Google over its policy change, the CNIL said.

ICO Seeks Destruction of Wi-Fi Data

The ICO ordered Google to destroy any content or “payload” data collected in the United Kingdom before 2010 by the company's Street View vehicles.

In the enforcement notice dated June 11, the ICO said Google had to take action within 35 days of the order and to inform the Information Commissioner if it subsequently discovers any more Street View vehicle disks holding personal data and collected in the United Kingdom.

The ICO's Head of Enforcement Stephen Eckersley warned in a June 21 statement that “failure to abide by the notice will be considered as contempt of court, which is a criminal offence.” The ICO said, however, that the detriment caused to individuals by Google's breach failed to meet the level required to issue a monetary penalty.

“The early days of Google Street View should be seen as an example of what can go wrong if technology companies fail to understand how their products are using personal information,” Eckersley said in a statement. “The punishment for this breach would have been far worse, if this payload data had not been contained.”

The ICO's decision follows the reopening of its investigation into the Google Street View project last year after the publication of a report by the U.S. Federal Communications Commission (11 PVLR 974, 6/18/12).

Following the discovery last year that Google had failed to destroy five disks which could contain United Kingdom data, the ICO found that the search engine giant was in breach of the U.K. Data Protection Act 1988 Fifth Data Protection Principle, which states that “personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.”

By Rick Mitchell (Paris), Brett Allan King (Madrid), and Ali Qassim (London)  


The CNIL's order to Google (Decision No. 2013-025) is available at http://www.cnil.fr/fileadmin/documents/en/D2013-025_10_Jun_2013_GOOGLE_INC_EN.pdf.

The ICO's enforcement notice against Google is available at http://www.ico.org.uk/enforcement/~/media/documents/library/Data_Protection/Notices/google-inc-enforcement-notice-11062013.pdf.