CNIL “regrets that the answers are often incomplete,” the regulator said in a statement today. CNIL finds it “impossible” to know how Google processes personal data and links information, or whether it adequately informs users about how data is handled.
CNIL is acting on behalf of the Article 29 Working Party, a group of European privacy regulators, who sought the review after Google announced changes to its privacy rules without allowing all of them time to review it or offer feedback, according to the Paris-based agency. The Mountain View, California-based company defied two CNIL requests to halt changes while it determined whether Europe’s standards were met. Google implemented the policy overhaul as planned on March 1.
“We have received the CNIL’s follow-up questions, and we are reviewing them,” Google’s Global Privacy Counsel Peter Fleischer said in an e-mail. “We are confident that our privacy notices respect the requirements of European data-protection laws.”
‘Inaccurate’ Versus ‘Vague’
CNIL’s English-language statement described the answers as “inaccurate,” while Google said the French word should have been translated as “vague.” In a letter to Google Chief Executive Officer Larry Page about the additional questions, Isabelle Falque-Pierrotin, head of CNIL, only references a need for “more precise and comprehensive” responses.
Google was fined $25,000 by the U.S. Federal Communications Commission for impeding an investigation of improper data gathering by its Street View cars. The company is also negotiating with the Federal Trade Commission over a fine for its breach of Apple Inc.’s Safari Internet browser when it planted so-called cookies on Safari that bypass Apple’s privacy settings, a person familiar with the matter said this month.
CNIL asked for clarifications to about 30 of Google’s responses. The regulator asked whether Google can measure how effective its campaign to inform users of the change to the policy was, saying “given Google’s extensive development and use of analytic tools,” CNIL is “surprised” it couldn’t provide information on page views and how many users it has.
CNIL also asked for explanations on why biometric data isn’t mentioned, how credit card data might be used, where and how data is stored, and what privacy settings might bar Google from using photos or other content marked as “private.”
Responses are due by June 8, the regulator said.
Once CNIL receives the answers, it will present a report to fellow regulators by mid-July and recommend “potential improvements” Google should implement to comply with European Union data-protection rules, according to the statement.