Google Rebuked by EU Privacy Watchdogs on Data Protection Policy

Google Inc. (GOOG) was told by European Union regulators to bolster its privacy policy in a warning that may trigger a new round of clashes with data-protection watchdogs across the bloc.

The company “empowers itself to collect vast amounts of personal data about Internet users” without demonstrating that this “collection was proportionate,” the privacy regulators said in a letter yesterday to Chief Executive Officer Larry Page, obtained by Bloomberg News.

“Google should modify its practices when combining data across services,” according to the letter. The company should clarify why and how it combines data, and report on how it processes users’ personal information, the regulators said. The findings will be announced at a press conference in Paris today.

Google, operator of the world’s largest search engine, is facing privacy investigations by authorities around the world as it debuts new services and steps up competition with Facebook Inc. (FB) for users and advertisers. Google changed its system this year to create a uniform set of policies for more than 60 products, unleashing criticism from regulators and consumer advocates concerned it isn’t protecting data it collects.

Google spokeswoman Niki Fenwick declined to comment on the letter yesterday.

France’s National Commission for Computing and Civil Liberties, or CNIL, led the investigation into Google on behalf of the so-called Article 29 Data Protection Working Party, which represents European authorities.

Street View

Google has also faced scrutiny over its Street View mapping service after cars it sent out to take photos collected so- called payload data from unrestricted Wi-Fi networks. The company said it was done mistakenly. CNIL issued its heaviest sanction after the incident, fining the company 100,000 euros ($129,000) in 2011.

Google described the policy, which took effect on March 1, as “providing users with clear and comprehensive information about how we use data,” according to an Oct. 11 e-mail from Brussels-based spokesman Al Verney. “We are confident that our privacy notices respect the requirements of European data protection laws,” he said.

Google should work with data-protection authorities when it devises services that could impact users’ privacy, and was asked to give CNIL a schedule for when it “will update its privacy policy and practices to implement our recommendations,” according to the letter.

Sanction Powers

Some European authorities, like CNIL, can impose fines for non-compliance, though the letter contained no details on the consequences of refusing to change the policy. Google twice rebuffed CNIL requests to wait to implement the changes until it could assess whether they comply with the bloc’s standards.

“There’s a bit of ‘payback’ here as well,” said Greg Sterling, an analyst at Opus Research in San Francisco. “Google decided to go ahead and implement the new policy despite being asked to delay it by European regulators who wanted more time to study it.”

The EU group is “happy” Google responded to two rounds of written public questioning by CNIL, though “grey areas still remain,” according to the letter.

To contact the reporters on this story: Stephanie Bodoni in Luxembourg at sbodoni@bloomberg.net; Heather Smith in Paris at hsmith26@bloomberg.net

To contact the editor responsible for this story: Anthony Aarons at aaarons@bloomberg.net

Bloomberg reserves the right to edit or remove comments but is under no obligation to do so, or to explain individual moderation decisions.

Please enable JavaScript to view the comments powered by Disqus.