Google May Face Fines in EU Unless It Fixes Privacy Issues

Google Inc. was urged by European Union regulators to fix flaws in its privacy policy or face possible fines after the company’s responses to a probe were deemed to be “incomplete” and “unsatisfactory.”

Data-protection watchdogs called on Google “to upgrade its privacy policy practices,” said France’s National Commission for Computing and Civil Liberties, or CNIL, which led the probe for EU authorities.

Google has up to four months to bring its program into compliance before it could face “a sanctions phase,” Isabelle Falque-Pierrotin, CNIL’s chairwoman said in Paris today. CNIL could impose fines itself, and she said it’s “probable” that others in Europe could also pursue Google if it doesn’t change.

Google, operator of the world’s largest search engine, faces privacy investigations by authorities around the world as it debuts new services and steps up competition with Facebook Inc. for users and advertisers. Google changed its system this year to create a uniform set of policies for more than 60 products, unleashing criticism from regulators and consumer advocates concerned it isn’t protecting data it collects.

Google is “confident that our privacy notices respect European law,” Peter Fleischer, Google’s global privacy counsel, said in an e-mailed statement. “Our new privacy policy demonstrates our long-standing commitment to protecting our users’ information and creating great products.”

“Absence of Limits”

“It is not possible to ascertain from the analysis that Google respects the key data protection principles of purpose limitation, data quality, data minimization, proportionality and right to object,” CNIL said today. “The privacy policy suggests the absence of any limit concerning the scope of the collection and the potential uses of the personal data.”

Today’s warning follows a letter sent by EU data-protection watchdogs to Google Chief Executive Officer Larry Page urging the company modify its practices, saying it “empowers itself to collect vast amounts of personal data about Internet users” without demonstrating that this “collection was proportionate.”

Google, in insisting it does comply with EU rules, “may be willing to simply pay any such fines to keep from having to unravel the policy,” said Greg Sterling, an analyst at Opus Research in San Francisco. “It all depends on what the penalties are or will be.”

Sanction Powers

CNIL imposed its heaviest fine to date -- 100,000 euros ($130,000) -- against Mountain View, California-based Google last year for breaches related to its Street View mapping service. Not all of the authorities have sanction powers. Regulators in the U.K., Ireland and Austria, which is one that can’t fine violators, said they will first see how Google reacts to the letter before considering any other actions.

Beyond Europe, privacy watchdogs in Canada and the Asia-Pacific region share CNIL’s views, the French agency said.

“Google, which makes billions of euros in ad revenue per quarter, can afford to pay a significant one-time fine or penalty as the price of its privacy policy,” Sterling said. “Anything lower than many millions of euros will not be meaningful to the company.”

For now Google is cooperating, CNIL’s Falque-Pierrotin said in an interview on Bloomberg TV’s “City Central” today.

Practical Approach

CNIL will work with Google “to see what would be the practical transformation or changes in the policy and in the practices of Google in order for the company to become compliant,” she said. EU regulators “don’t want to prevent this company from any innovation, new services, but they also want to say to this company that there is a huge European market and consumers are worried about Google’s practices.”

The investigation “confirms our concerns that Google’s privacy policy sits on the wrong side of EU data protection rules,” said EU consumer advocate BEUC Director Monique Goyens. “This is a healthy shift towards restoring consumer control over personal data.”

EU Justice Commissioner Viviane Reding proposed changing the bloc’s 17-year-old data-protection rules and how they’re administered to toughen protections and make things simpler for companies, putting them under one regulator rather than potentially facing multiple inquiries on the same subject, as Google faced on Street View.

In the meantime, agencies are striving to coordinate actions to speak with one voice and minimize redundant efforts. CNIL’s work conducting one investigation into a Europe-wide question on Google and the letter signed by 27 European data protection authorities marks the first time this happened.

“CNIL, all the authorities” from the Article 29 group “and data protection authorities from other regions of the world expect Google to take effective and public measures to comply quickly and commit itself to the implementation of these recommendations,” the French authority said.

Before it's here, it's on the Bloomberg Terminal. LEARN MORE