Google Gets 3 Months to Fix Privacy or Face French Fines

France gave Google Inc. three months to amend its policy regarding Internet users’ data to avoid fines, and said five other European countries will follow suit by the end of July.

The U.S. search engine giant is breaching French laws because it “prevents individuals from knowing how their personal data may be used and from controlling such use,” France’s National Commission for Computing and Civil Liberties, the country’s data protection watchdog known as CNIL, said today in a statement in Paris. It ordered Google to comply with the French Data Protection Act.

“France, Spain, the U.K. at the start of next week and Germany at the end of next week will all take a formal and official decision to start repressive proceedings against Google, and a second salvo will come from Italy and the Netherlands by the end of July,” Isabelle Falque-Pierrotin, Chairwoman of the French authority, said.

Google faces probes across Europe over changes to harmonize privacy policies for more than 60 products last year. Global data protection regulators this week wrote to the Mountain View, California-based company urging Chief Executive Officer Larry Page to contact them about possible issues with its web-enabled eyeglasses, called Google Glass.

“Our privacy policy respects European law and allows us to create simpler, more effective services,” Al Verney, a spokesman for Google in Brussels, said by phone. “We have engaged fully with the data protection authorities involved throughout this process and will continue to do so going forward.”

Gmail Messaging

The French data protection watchdog ordered the company to spell out for users why it collects information “to understand practically the processing of their personal data,” better inform users of its privacy policy, and “define retention periods of personal data processed that do not exceed the period necessary for the purposes for which they are collected.”

CNIL is also asking the owner of the Gmail messaging system to request users’ permission for “the potentially unlimited combination” of their data, ask users’ approval to collect their data with tools such as the “Doubleclick” and “Analytics” cookies, “+1” buttons or any other Google service on third-party websites, and “inform users and then obtain their consent in particular before storing cookies in their terminal.”

The formal notice “isn’t very prescriptive,” Falque-Pierrotin said. “We’re leaving Google some leeway to reach compliance.”

Maximum Fine

CNIL can levy a maximum fine of 150,000 euros ($198,200), and 300,000 euros in case of a repeated offense, she said. Other regulators may impose sanctions of up to 1 million euros, potentially exposing Google to “several million euros” of fines on top of damaging its image, she said.

The French watchdog’s most severe fine to date was 100,000 euros against Google in 2011 for breaches related to its Street View mapping service. Hamburg’s data privacy regulator in April fined Google 145,000 euros for collecting wireless-network data from 2008 to 2010 by its cars taking photos for the Street View service.

Data protection regulators from the 27-nation EU, that make up the so-called Article 29 Data Protection Working Party, wrote to Google Chief Executive Officer Larry Page last October, saying the company “empowers itself to collect vast amounts of personal data about Internet users” without demonstrating that this “collection was proportionate,” and asking the company to bring its policy in line with EU rules.

Enforcement Measures

Six European privacy regulators started “coordinated” enforcement measures in April over the company’s failure to address complaints about its new privacy policy. The French agency led the probe on behalf of the EU group to review whether Google’s revisions to its policies violated the bloc’s rules.

In Spain, Google risks fines of as much as 300,000 euros for violating privacy rules, the country’s data protection regulator said today. The Spanish authority opened a sanctions procedure after initial investigations found there may have been at least five serious infringements.

The Italian authority said in a statement it will request more information from Google and will study the company’s response before deciding whether to impose sanctions. The data protection watchdog in Hamburg, where Google has its main German base, leads the probe in Germany in coordination with other local regulators. It has opened a formal probe against Google.

Dutch Authority

The Dutch privacy authority as part of its investigation will first issue a confidential report and then request Google’s responses, said CNIL. The final outcome may include fines. The U.K. privacy watchdog will soon write to Google with its initial conclusions, according to CNIL.

Viviane Reding, the EU’s justice commissioner, last year proposed an overhaul of the bloc’s data-protection law to allow national authorities to fine companies as much as 2 percent of yearly global sales for “intentionally or negligently” violating the rules. The plans are under consideration by the European Parliament and EU governments.

“Time is running out for Google to get serious about data protection” and the case gives “yet another reason why we have no time to lose on the EU’s data protection reform,” she said in a posting on Twitter.

Before it's here, it's on the Bloomberg Terminal.