Dutch Privacy Office Extends Google Compliance Deadline

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Stephen Gardner

July 9 — The Dutch data protection authority July 9 said that it had extended until the end of 2015 a deadline for Google Inc. to seek the consent of Internet users whose data it collects for use in targeted advertising.

In a decision addressed to Google dated June 9 but made public July 9, the College bescherming persoonsgegevens (CBP) said that the new deadline would supersede a deadline of Feb. 27, which was laid down in a November 2014 cease-and-desist order that threatened Google with fines of up to 15 million euros ($16.5 million).

The 2014 order against Google said the company breached the Dutch Data Protection Act by being insufficiently clear about, and not seeking consent for, the collection of Internet users' data from sources such as search engine queries and YouTube video views, and its use to provide targeted ads.

The cease-and-desist order is a follow-up to an investigation prompted by Google's announcement in January 2012 that it would share, and track, user information across its e-mail, social networking, YouTube, search engine and other services, as part of a plan to integrate multiple privacy policies into one policy.

Some Concerns Addressed 

The CBP said in a statement July 9 that Google had already addressed one of its concerns from the cease-and-desist order by adapting the information in its privacy policy to make it clear that YouTube is a Google service.

In addition, new users that create Google accounts are now asked for their consent for the combining of their data related to the use of different Google services, the CBP said.

However, Google needs to take further steps to provide all users of Google services with “the opportunity to give their unambiguous consent for the combining of their personal data not later than by the end of December 2015,” the CBP said.

The regulator added that it would “monitor whether this will be done properly,” and it said it reserved the right to impose a fine of up to 5 million euros ($5.5 million) if Google remains noncompliant.

The fine would be calculated on the basis of a 20,000 euro ($22,020) levy for each day that Google continues to breach the Dutch Data Protection Act after December 2015. The maximum possible fine is lower than the 15 million euros contained in the previous cease-and-desist order because Google had addressed some of the CBP's concerns.

Google is under ongoing scrutiny from privacy regulators from France, Germany, Italy, the Netherlands, Spain and the U.K., which started a coordinated enforcement effort against the company in April 2013.

To contact the reporter on this story: Stephen Gardner in Brussels at correspondents@bna.com

To contact the editor responsible for this story: Katie W. Johnson at kjohnson@bna.com

The CBP decision addressed to Google is available, in Dutch, at https://cbpweb.nl/sites/default/files/atoms/files/besluit_op_bezwaar_google.pdf.

Request Bloomberg Law: Privacy & Data Security