CNIL Announces Sanction Proceedings Against Google Over Unified Privacy Policy

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Rick Mitchell  

Oct. 1 --France's data protection authority (CNIL) has announced plans to launch formal sanction proceedings against Google Inc. for what it called the company's failure to heed an order to modify its controversial servicewide privacy policy to comply with French law.

The Paris-based authority was one of three European Union member states to announce enforcement actions in June against the U.S. Internet giant regarding changes Google made to its privacy policies in 2012 .

On June 10, CNIL gave Google three months to make changes in six areas to bring its privacy policy into compliance with the country's 1978 framework Law on Information Technology and Liberties (78-17, updated in 2011), or face penalties.

In a Sept. 27 statement, CNIL said Google's response to the order on the final day of the deadline, “challenged the CNIL's reasoning and the jurisdiction of the 1978 law to services used by French residents.”

“In this context, the CNIL's president will appoint a rapporteur to begin a formal sanction procedure, as provided for in the 1978 law,” the authority said.

In a statement provided to Bloomberg BNA Oct. 1, Google said, “Our privacy policy respects European law and allows us to create simpler, more effective services. We have engaged fully with the CNIL throughout this process, and will continue to do so going forward.”

Potential Fine of 300,000 Euros

Under French law, Google could face a fine of up to 300,000 euros ($406,299) in the case, but it might also face similar enforcement actions in several other EU member states.

The French, Spanish and U.K. actions grew out of an investigation into Google's unified privacy policy by a six-nation task force led by CNIL at the request of the EU Article 29 Data Protection Working Party of data protection officials from the 27 EU member states.

In January 2012, Google announced it would share--and track--user information across its e-mail, social networking, YouTube, search engine and other services, as part of a plan to integrate its 60 privacy policies into one policy .

The company launched the policy change March 1, 2012, despite a letter from the Art. 29 Working Party urging the company to change the policy .

In February 2013, CNIL said Google had passed a four-month deadline imposed by EU data protection authorities to commit to revising its single privacy policy and might face sanctions before summer.

CNIL Demands Changes

CNIL's latest statement restates demands from its June 10, 2013, enforcement order listing six areas in which it says Google's policy must be changed to comply with French law. It must:

• specifically and explicitly define the purposes for collecting and processing users' personal data;

• explicitly inform users for what purposes their data are processed;

• define personal data retention periods to not exceed a duration necessary for the stated purposes;

• either obtain informed consent from users to combine their personal data or comply with one of five listed legal conditions;

• fairly collect and process passive users' data, in particular with regard to data collected using the “DoubleClick” and “Analytics” cookies, “+1” buttons or any other Google service available on the page visited; and

• obtain informed user consent to store cookies on their terminals.



To contact the reporter on this story: Rick Mitchell in Paris at

To contact the editor responsible for this story: Katie W. Johnson at

Request Bloomberg Law: Privacy & Data Security