The Information Commissioner’s Office in the UK announced that it has sent a letter to Google notifying it that its changes raise “serious questions” about compliance with the UK Data Protection Act.
The UK and Germany are among six European countries that April announced in April that they would take legal action against Google over the issue. The others are France, Spain, Italy and the Netherlands, the first three of which launched actions against Google last month.
France’s privacy body, the Commission nationale de l’informatique et des libertés, or CNIL, led an investigation into Google’s privacy practices conducted by the Article 29 Working Party, which was set up to advise the EU on data protection and the free movement of data on individuals.
“Google violated European law when it consolidated its privacy policies and data collection across services,” John Simpson, consumer advocate at Consumer Watchdog, told TechNewsWorld. “Data protection authorities warned them not to do it.”
This is the same problem Microsoft had with the EU, Rob Enderle, principal analyst at the Enderle Group, pointed out.
“The interpretation of the laws isn’t very rigid … and Google — and earlier, Microsoft — didn’t seem to really understand that the laws work differently there than in the United States.”
The ICO’s Position
Google has previously stated that its policies are in compliance with European law.
However, its updated policy does not provide enough information to enable users in the UK to understand how their data will be used across all of the company’s products, the ICO contends.
The ICO has threatened to take formal enforcement action if Google fails to comply by that date. It will coordinate its efforts with those of data protection authorities in other European countries.
Failure to comply would mean Google could be taken to court and eventually might face a fine of up to US$745,000.
The ICO did not respond to our request for further details.
The Bee in the EU’s Bonnet
Google did not comply with the EU data protection authorities’ recommendations issued in October, France’s CNIL said, and it did not follow up after a meeting with representatives of the six countries now pressuring the company.
Google has repeatedly run afoul of European data privacy laws and has been punished for this.
In April, the Hamburg Commissioner for Data Protection and Freedom of Information, which is Germany’s privacy body, fined Google more than $200,000 for allowing its Street View vehicles to collect data from WiFi networks, for instance.
The Hamburg Commissioner has strongly enforced privacy laws. In 2012, it issued an administrative order against Facebook over facial recognition technology, forcing that company to stop using the technology on its pages. This was done independently of the Irish Data Protection Commissioner’s actions on the issue, which were conducted on behalf of the EU as a whole.
“Under the current data protection directive, each country is charged with passing its own laws to implement the directive and enforce it,” Consumer Watchdog’s Simpson explained.
How the Europeans Might Punish Google
The EU could sue to block Google from operating there, but the company has nearly 98 percent of the search engine market in Europe, according to StatCounter.
Financially, the EU can’t really impact Google much. Together, the UK and France could fine Google a bit more than $1 million, but in the UK alone, Google reportedly generated more than $4 billion in sales.
That might change, however.
“I expect Google will come under more pressure than Microsoft did,” Enderle told TechNewsWorld. “The penalties could set records. However, Google clearly thinks they have the U.S. government in their pocket, and they may be right … this could make a difference.”