Google controls 95% of the European search engine market, meaning that changes implemented in March 2012 to its privacy policy have affected almost everyone. In attempt to streamline over 60 different privacy policies, Google replaced them with a single, comprehensive policy, designed to cover the collection of personal data from all its services, such as Gmail and YouTube.
EU Investigation into Google’s Changed Privacy Policy
The change in Google’s privacy policy has been investigated by the Article 29 Working Party, which is a committee made up of representatives from different data protection authorities from the EU’s member states. It is headed by the French data protection authority, the Commission Nationale de l’Information et des Liberties (CNIL).
The findings were outlined in a letter sent by CNIL to Google, which addressed issues concerning the limit and scope of data collected, how insufficient information about the purpose of the data had been provided to users as well as concerns about data from different services being combined. Further to this, the CNIL made recommendations as to how Google could rectify these breaches.
Legal Action Against Google
Google were given three to four months to implement the recommendations, and as no changes were introduced, the data protection authorities of the EU member states have started joint legal action against the search giant. The CNIL have said it is now up to each member state to carry out further investigation, to realise the extent of Google’s breaches in accordance with its own national law which implements European legislation.
So far, data protection authorities in Germany, France, Spain, Italy, the Netherlands and the UK have started investigations, each of which could result in Google being fined. The UK’s Information Commissioners Office can levy fines up to a maximum of £500,000, and France’s CNIL can fine up to £255,000.
Although Google can easily pay afford to pay these fines, it is possible that the regulators could attempt to stop Google from operating in Europe, which would significantly damage its profits and reputation. It remains to be seen whether Google will comply and implement the recommended changes, or if it will dispute and challenge the findings of the regulatory bodies.
Use of Private Information by Business
Large or small, all businesses need to comply with data protection laws. The Information Commissioners office provides plenty of advice regarding legal obligations and responsibilities of businesses within the UK, as well as up to date information about any changes. The requirements can be complex so legal advice is recommended.
The main concern with Google’s changes regard transparency, and how much users are aware and consent to their data being used, as opposed to the simplification and streamlining of policies which is encouraged. If your business collects or uses personal data it is essential that you maintain compliance with data protection regulation to avoid the risk of prosecution.
Rollingsons has experienced lawyers who can help you draft and implement compliant privacy policies and ensure that you have adequate data protection measures in place. For more information please contact James Crichton via e-mail jcrichton@rollingsons.co.uk or by telephone on 0207 611 4848.