Search


  • Categories


  • Archives

    « Home

    Update: France’s CNIL Moves to Sanction Google Over Consumer Privacy

    To recap: In January 2012, Google announced changes in its privacy policies that would affect users of its services, such as search, Gmail, Google+ and YouTube. Advocates and legislators questioned the changes, saying that there were privacy issues, and criticized (pdf) the Internet services giant for not including an opt-out provision. The critics included 36 U.S. state attorneys general, who wrote to (pdf) Google raising privacy and security questions about the announced privacy policy changes. The EU’s Article 29 Data Protection Working Party wrote to (pdf) to the online services giant about the privacy policy changes, which affect 60 Google services. The Working Party, which includes data protection authorities from all 27 European Union member states as well as the European Data Protection Supervisor, asked Google to halt implementation of these changes while the data protection authority in France (the National Commission for Computing and Civil Liberties, CNIL) investigates. Google refused and its new privacy policies went into effect in March 2012. The CNIL investigation has continued, with Google answering two questionnaires about its privacy policies from the authority. In October, the CNIL wrote (archive pdf) to Google to announce findings (archive pdf) from its investigation and recommendations for changes from the Internet services giant. The authority said that there are issues with Google’s privacy policies and it may violate European data-protection laws.

    Now, the Wall Street Journal reports that CNIL “launched a court-like proceeding against Google Inc. that could lead to fines, the most aggressive step yet among a group of European regulators that allege the U.S. Internet company’s handling of user data violates European privacy law.” And it might be possible for CNIL fine Google an amount that would actually hurt the company. The Journal reports, “CNIL didn’t specify the amount of the fine it might seek, but a person briefed on the matter said the agency is considering whether it would be legally possible to count every Google user in France as an infraction—allowing it to multiply France’s data-protection fines beyond the current maximum of €150,000 ($203,000) for first offenses.”

    Recall that the information services giant has paid small fines (compared with Google’s earnings) for privacy scandals before. In April 2012, the Federal Communications Commission decided (redacted pdf) that it would not take enforcement action against the company over data collection and retention as part of its online mapping service, Street View, but it would fine Google $25,000 for impeding the agency’s investigation into the private data collected and retained via its Street View product. In March, Google reached a settlement (Connecticut pdf; archive pdf) with 38 states and the District of Columbia over the collection and retention of individuals’ personal data through its Street View product, but the company would only have to pay $7 million total and implement a privacy program.

    The Journal reports that CNIL is making the move toward possible fines because “Google had missed a three-month deadline to comply with an order to change its treatment of user data.” Also, “The potential sanctions represent a test case as the European Union considers a new privacy law that would beef up potential fines and unify an enforcement process that is now fragmented across a patchwork of 28 countries. The new privacy law, which could authorize fines of up to 2% of a violator’s world-wide revenue, is headed for a vote in a European Parliament committee in late October.”

    Leave a Reply