Today’s joint decision follows a deadlock at a March 19 meeting between Google and the data watchdogs, France’s National Commission for Computing and Civil Liberties said in a statement on its website. It’s now up to national regulators to pursue the company according to their own rules and powers, CNIL said.
“The authorities’ goal is not to fine Google,” said Isabelle Falque-Pierrotin, chairwomen of the French agency, which led a taskforce of data authorities also from the U.K., Germany, Spain, Italy and the Netherlands. “The goal is for Google to be in line with what we demand.” CNIL could levy a maximum fine of 150,000 euros ($192,300), she said in a phone interview.
Google, operator of the world’s largest search engine, faces privacy investigations by authorities around the world as it debuts new services and steps up competition with Facebook Inc. for users and advertisers. Google last year changed its system to create a uniform set of policies for more than 60 products, unleashing criticism from regulators and consumer advocates concerned it isn’t protecting data it collects.
The Article 29 Data Protection Working Party, which comprises national privacy authorities in the EU, wrote to Google Chief Executive Officer Larry Page in October, saying Google “empowers itself to collect vast amounts of personal data about Internet users” without demonstrating that this “collection was proportionate,” and asking the company to bring its policy in line with EU rules.
Today’s announcement by the taskforce of six agencies builds on work done by the EU group in the past year, said Falque-Pierrotin.
The CNIL chief warned last year the French authority may fine Mountain View, California-based Google for not complying, calling it “probable” that other European agencies would pursue Google.
“I am not prejudging any fines that may be levied,” Falque-Pierrotin said. “We are in a continued process of dialogue with Google and the whole process can be stopped at any moment if Google puts its systems in line with our demands.” Still, as things stand now, Google is in breach of European law, she said. “We have said so since October.”
Any financial sanctions would happen in the second half of this year,” she said. A “first burst of action will happen before the summer, with the different authorities analyzing Google’s failures in line with their national laws.”
One of the shortcomings identified by the EU regulators in October was a lack of information to people about how their data is used, she said.
The taskforce of six agencies is represented in Germany by Johannes Caspar, the data protection commissioner for Hamburg.
“We want to show after one year of talks with Google that we are being serious and are taking action,” Caspar said in a phone interview.
Any action in Germany would be taken in coordination with all of the country’s privacy bodies, he said. Hamburg took responsibility for the action in the country because Google has its main German base in the city, said Caspar.
In February, CNIL said Google could face “repressive actions” by various privacy authorities after failing to give “precise and effective” responses to the EU group’s recommendations. Google said then that it had answered on Jan. 8, listing changes it’s made to improve the protections and asking to meet to discuss the case.
“Consumers are increasingly concerned about how their data is being used and it is essential that those breaking the law are properly punished,” Nick Pickles, director of privacy group Big Brother Watch, said in an e-mailed statement. “It is essential regulators find a sanction that is not just a slap on the wrists and will make Google think twice before it ignores consumer rights again.”
CNIL’s heaviest fine to date was 100,000 euros against Google in 2011 for breaches related to its Street View mapping service.
Viviane Reding, the EU’s justice commissioner, who is seeking tougher penalties for data privacy lapses, said she welcomed today’s steps against Google.
“It is good to see that six national data protection authorities are teaming up to enforce Europe’s common data protection rules,” she said in an e-mailed statement.
“Data protection authorities speak louder with one voice than with 27,” Reding said. “Such concerted actions need to evolve from the exception to the rule -- that’s exactly what the EU data protection reform will make sure of.”
Reding last year proposed allowing national authorities to fine companies as much as 2 percent of yearly global sales for “intentionally or negligently” violating the rules. The overhaul is under consideration by the European Parliament and EU governments.