Google has up to four months to bring its program into compliance before it could face “a sanctions phase,” Isabelle Falque-Pierrotin, CNIL’s chairwoman said in Paris today. CNIL could impose fines itself, and she said it’s “probable” that others in Europe could also pursue Google if it doesn’t change.
Google, operator of the world’s largest search engine, faces privacy investigations by authorities around the world as it debuts new services and steps up competition with Facebook Inc. for users and advertisers. Google changed its system this year to create a uniform set of policies for more than 60 products, unleashing criticism from regulators and consumer advocates concerned it isn’t protecting data it collects.
“Absence of Limits”
Today’s warning follows a letter sent by EU data-protection watchdogs to Google Chief Executive Officer Larry Page urging the company modify its practices, saying it “empowers itself to collect vast amounts of personal data about Internet users” without demonstrating that this “collection was proportionate.”
Google, in insisting it does comply with EU rules, “may be willing to simply pay any such fines to keep from having to unravel the policy,” said Greg Sterling, an analyst at Opus Research in San Francisco. “It all depends on what the penalties are or will be.”
CNIL imposed its heaviest fine to date -- 100,000 euros ($130,000) -- against Mountain View, California-based Google last year for breaches related to its Street View mapping service. Not all of the authorities have sanction powers. Regulators in the U.K., Ireland and Austria, which is one that can’t fine violators, said they will first see how Google reacts to the letter before considering any other actions.
Beyond Europe, privacy watchdogs in Canada and the Asia-Pacific region share CNIL’s views, the French agency said.
For now Google is cooperating, CNIL’s Falque-Pierrotin said in an interview on Bloomberg TV’s “City Central” today.
CNIL will work with Google “to see what would be the practical transformation or changes in the policy and in the practices of Google in order for the company to become compliant,” she said. EU regulators “don’t want to prevent this company from any innovation, new services, but they also want to say to this company that there is a huge European market and consumers are worried about Google’s practices.”
EU Justice Commissioner Viviane Reding proposed changing the bloc’s 17-year-old data-protection rules and how they’re administered to toughen protections and make things simpler for companies, putting them under one regulator rather than potentially facing multiple inquiries on the same subject, as Google faced on Street View.
In the meantime, agencies are striving to coordinate actions to speak with one voice and minimize redundant efforts. CNIL’s work conducting one investigation into a Europe-wide question on Google and the letter signed by 27 European data protection authorities marks the first time this happened.
“CNIL, all the authorities” from the Article 29 group “and data protection authorities from other regions of the world expect Google to take effective and public measures to comply quickly and commit itself to the implementation of these recommendations,” the French authority said.