• Categories

  • Archives

    « Home

    Update: Netherlands Threatens to Fine Google Over Privacy Policy

    In the ongoing case concerning Google’s changes to its privacy policies a couple of years ago, the Netherlands announced that it will fine the Internet services giant if it doesn’t meet certain requirements by February 2015. “The Dutch Data Protection Authority (Dutch DPA) has imposed an incremental penalty payment on Google. This sanction may amount to 15 million euros. The reason for the sanction is that Google is acting in breach of several provisions of the Dutch data protection act with its new privacy policy, introduced in 2012.”

    Here’s a recap of the controversy and legal questions surrounding Google’s change to its privacy policies. In January 2012, Google announced changes in its privacy policies that would affect users of its services, such as search, Gmail, Google+ and YouTube. Advocates and legislators questioned the changes, saying that there were privacy issues, and criticized (pdf) the Internet services giant for not including an opt-out provision. The critics included 36 U.S. state attorneys general, who wrote to (pdf) Google raising privacy and security questions about the announced privacy policy changes. The EU’s Article 29 Data Protection Working Party wrote to (pdf) to the online services giant about the privacy policy changes, which affect 60 Google services. The Working Party, which includes data protection authorities from all 27 European Union member states as well as the European Data Protection Supervisor, asked Google to halt implementation of these changes while the data protection authority in France (the National Commission for Computing and Civil Liberties, CNIL) investigates. Google refused and its new privacy policies went into effect in March 2012. The CNIL investigation continued, and in January, CNIL fined the Internet services giant €150,000 ($204,000) over privacy violations.

    In its announcement, the Dutch DPA detailed requirements for Google to meet by February 2015 in order come into compliance with the Dutch data protection act and avoid the fine:

    The Dutch DPA demands that Google:

    • Will ask for the unambiguous consent of users for the combining of personal data from the different Google services. This can be achieved via a separate consent screen. Unambiguous consent can’t be obtained through information about this processing in the general (privacy) terms and conditions.
    • Further clarifies the information in its privacy policy in order to provide clear and consistent information to people on which personal data are used by the different services of Google.
    • Provides clear information about the fact the YouTube is part of Google. With regard to this last point, Google seems to have already taken measures in the Netherlands.

    The Dutch DPA also noted that “Google has recently sent a letter to the 6 data protection authorities, in which the company announces a large number of measures to comply with European privacy laws. The Dutch DPA has not yet established whether the proposed measures will end all the violations found by the Dutch DPA.”

    Recall that Google has paid small fines (compared with Google’s earnings) for privacy scandals before. In April 2012, the Federal Communications Commission decided (redacted pdf) that it would not take enforcement action against the company over data collection and retention as part of its online mapping service, Street View, but it would fine Google $25,000 for impeding the agency’s investigation into the private data collected and retained via its Street View product. In March 2013, Google reached a settlement (archive pdf) with 38 states and the District of Columbia over the collection and retention of individuals’ personal data through its Street View product, but the company would only have to pay $7 million total and implement a privacy program.

    Leave a Reply