France’s National Commission for Computing and Civil Liberties, or CNIL, will announce its conclusions tomorrow. Given the European Union’s patchwork approach to data protection, regulators may then decide to pursue their own cases against the company.
As a result, the matter may not end with France for Google, said Nick Graham, a data protection lawyer at SNR Denton in London. “While CNIL’s views will be persuasive, other data- protection regulators in other EU countries could take a different line and levy their own sanctions.”
Google, operator of the world’s largest search engine, is facing privacy investigations by authorities around the world as it debuts new services and steps up competition with Facebook Inc. (FB) for users and advertisers. Google changed its system this year to create a uniform set of policies for more than 60 products, unleashing criticism from regulators and consumer advocates concerned it isn’t protecting data it collects.
After Google announced its plans in January, European privacy regulators asked their French counterpart to look into whether the resulting controls meet the bloc’s standards on their behalf as they weren’t given time to vet it, CNIL said.
The report “has been approved and shared with all European authorities,” CNIL said Oct. 11. The audit’s goal “was to clarify the implications of these new rules for Google users.”
The two have had several public exchanges since the inquiry began. Google twice rebuffed CNIL requests to wait to implement the changes until it could assess whether they comply with European standards. CNIL also submitted two rounds of questions to Google, once seeking details on the new policy and how it affected users, and a second time asking to clarify or expand on the earlier responses.
In a February letter, CNIL said its preliminary analysis showed the policy may not meet EU requirements and criticized Google for not alerting all European privacy authorities about its plans earlier. Some “only heard about the changes a few days before the announcement,” Isabelle Falque-Pierrotin, CNIL’s chairwoman said in the letter.
“For a company to willfully ignore the collective concern of regulators worldwide sets a very dangerous precedent,” said Nick Pickles, director of U.K. privacy advocate Big Brother Watch. Google “has appeared far from frank and there’s a great deal of uncertainty about the willingness of the company to engage with these issues and ensure consumers do have a clear understanding of what happens to their data.”
Google didn’t change existing privacy settings or collect additional data on users, the company’s global privacy counsel, Peter Fleischer, told European privacy watchdogs at the Article 29 Data Protection Working Party in a letter on Google’s blog.
“We briefed most of the members of the working party in the weeks leading up to our announcement,” Fleischer wrote in a Feb. 3 entry. “None of them expressed substantial concerns.”
Europe’s privacy watchdogs differ in their investigative and enforcement powers. EU Justice Commissioner Viviane Reding proposed changing the bloc’s 17-year-old data-protection rules and how they’re administered to toughen protections and make things simpler for companies, putting them under one regulator rather than potentially facing multiple inquiries on the same subject, as Google faced on its Street View mapping service.
In the meantime, agencies are striving to coordinate actions to speak with one voice and minimize redundant efforts. CNIL’s work conducting one investigation into a Europe-wide question on Google is one of the first examples of this.
To contact the reporter on this story: Stephanie Bodoni in Luxembourg at firstname.lastname@example.org
To contact the editor responsible for this story: Anthony Aarons at email@example.com