European Regulators Come Down on Google's Privacy Policy

Photograph by David Paul Morris/Bloomberg

Updated to add that Edelman also works as a consultant for several clients, including Microsoft.

Just weeks after getting hit with a record $22.5 million U.S. fine for Internet privacy violations, Google is facing fresh criticism in Europe for its collection of users’ personal data.

In an Oct. 16 ruling, France’s privacy-rights regulator said Google’s new privacy policy violated European data-protection rules. Google failed to set “any limit concerning the scope of the collection and the potential uses of the personal data,” and gave users inadequate means to opt out, the agency said. France could impose fines on Google within “three to four months” if the policy is not modified, said Isabelle Falque-Pierrotin, chairwoman of the regulator, known as the CNIL.

Last March, Google established a uniform privacy policy covering more than 60 services, including Google searches, YouTube, and Gmail. In a statement e-mailed after the decision, Google’s global privacy counsel Peter Fleischer said the company was “confident that our privacy notices respect European law.”

Although other countries are not bound by France’s action, they’re likely to follow its lead in demanding that Google revamp the policy. EU authorities had asked the CNIL to conduct the review, and the French findings were reviewed in advance by European national regulators and by data-protection authorities in anada, Australia, and several Asian countries. If Google refuses to modify its policy, it would be “almost certain to increase any fine that the regulators may wish to impose,” says Chris Watson, head of the telecommunications practice at the law firm of CMS Cameron McKenna in London.

The ruling comes 10 weeks after the U.S. Federal Trade Commission fined Google $22.5 million—the biggest fine in the agency’s history—to settle charges that it breached privacy protections on Apple’s Safari Internet browser. The FTC said Google illegally planted cookies in Safari, bypassing Apple privacy settings so that Google could track users’ browsing behavior.

The French decision also could create headaches for Google as it faces scrutiny by U.S. and European antitrust regulators. EU anti-monopoly authorities in 2010 opened an investigation of the company that is still ongoing. On Oct. 13, Bloomberg News reported that FTC investigators, after a 19-month review, had recommended that the FTC sue Google for abusing its dominance of Internet search.

Privacy issues rarely figure in antitrust enforcement. In Google’s case, though, “there’s a real relationship between its market power and its privacy practices,” says Ben Edelman, a lawyer who teaches at Harvard Business School and has written extensively about Internet data protection. (Edelman also works as a consultant focusing on detecting advertising fraud for several clients, including Microsoft.) “In a competitive market, it’s unlikely that Google could announce this policy and force it onto users,” Edelman says.

Some European privacy advocates share that view. “The issue of privacy is absolutely connected to antitrust and competition,” says Nick Pickles, a lawyer and director of Big Brother Watch, a British advocacy group for civil liberties and privacy protections. Google’s ability to glean data from dozens of different services gives it an unfair advantage in competing for advertisers, he says.

    Before it's here, it's on the Bloomberg Terminal.