Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
Google Inc. is facing aggressive data protection enforcement action by European Union data protection authorities in France, Spain, and the United Kingdom.
France and Spain June 20 issued enforcement orders related to changes Google made to its privacy policies in 2012.
Meanwhile in the United Kingdom, the Information Commissioner's Office June 21 took action on Google's collection of wireless internet content data during its Street View mapping project.
In January 2012, Google announced it would share, and track, user information across its email, social networking, YouTube, search engine, and other services, as part of a plan to integrate its 60 privacy policies into one policy (11 PVLR 189, 1/30/12).
The company launched the policy change March 1, 2012, despite a letter from the Article 29 Working Party of data protection officials from the 27 EU member states urging the internet giant to change the policy (11 PVLR 426, 3/5/12).
The June 10 enforcement order details how Google's policy allegedly violates France's 1978 framework Law on Information Technology and Liberties (78-17, updated in 2011).
The document lists six areas in which the CNIL said the U.S.-based company must make changes to bring the policy into compliance with the law by September.
The CNIL demanded that Google:
• specifically and explicitly define the purposes for collecting and processing user personal data;
• effectively and explicitly inform users for what purposes their data are processed;
• define personal data retention periods not exceeding a duration necessary for the stated purposes;
• either obtain informed consent from users to combine their personal data, or comply with one of five listed legal conditions;
• fairly collect and process passive users' data, in particular with regard to data collected using the “DoubleClick” and “Analytics”cookies, “+1”buttons, or any other Google service available on the page visited; and
• obtain informed user consent to store cookies on their terminals.
“The commencement of this procedure comes in the aftermath of preliminary AEPD investigations, which have made it possible to confirm the existence of several indications of infringement,” the AEPD said in a statement.
According to the AEPD, the procedure will attempt to “clarify” the results of the investigations initiated in April, which point to:
• failure to adequately inform data subjects on how and why their personal data will be used, with the gathering of data for one purpose potentially leading to the illegitimate handling of data for another end;
• personal data storage for “indeterminate or unjustified” time periods, when the LOPD requires that data be cancelled once no longer relevant or necessary for their original purpose; and
• hampering users’ ability to exercise their rights to access, rectify, cancel, and oppose information held about them.
The AEPD tends to determine infringement in an agency resolution, issuing fines in accordance with the gravity of the offense. In total, the potential infringements would represent five serious violations of the LOPD, as well as one minor infraction, leading to total maximum fines of up to €1.54 million ($2 million), the AEPD said.
Other DPA members of the original six-member task force from Germany, Italy, the Netherlands, and the United Kingdom are still contemplating what kind of specific enforcement action to pursue against Google over its policy change, the CNIL said.
The ICO ordered Google to destroy any content or “payload” data collected in the United Kingdom before 2010 by the company's Street View vehicles.
In the enforcement notice dated June 11, the ICO said Google had to take action within 35 days of the order and to inform the Information Commissioner if it subsequently discovers any more Street View vehicle disks holding personal data and collected in the United Kingdom.
The ICO's Head of Enforcement Stephen Eckersley warned in a June 21 statement that “failure to abide by the notice will be considered as contempt of court, which is a criminal offence.” The ICO said, however, that the detriment caused to individuals by Google's breach failed to meet the level required to issue a monetary penalty.
“The early days of Google Street View should be seen as an example of what can go wrong if technology companies fail to understand how their products are using personal information,” Eckersley said in a statement. “The punishment for this breach would have been far worse, if this payload data had not been contained.”
The ICO's decision follows the reopening of its investigation into the Google Street View project last year after the publication of a report by the U.S. Federal Communications Commission (11 PVLR 974, 6/18/12).
Following the discovery last year that Google had failed to destroy five disks which could contain United Kingdom data, the ICO found that the search engine giant was in breach of the U.K. Data Protection Act 1988 Fifth Data Protection Principle, which states that “personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.”
By Rick Mitchell (Paris), Brett Allan King (Madrid), and Ali Qassim (London)
The CNIL's order to Google (Decision No. 2013-025) is available at http://www.cnil.fr/fileadmin/documents/en/D2013-025_10_Jun_2013_GOOGLE_INC_EN.pdf.
The ICO's enforcement notice against Google is available at http://www.ico.org.uk/enforcement/~/media/documents/library/Data_Protection/Notices/google-inc-enforcement-notice-11062013.pdf.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to email@example.com.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to firstname.lastname@example.org.
Put me on standing order
Notify me when new releases are available (no standing order will be created)