Google should provide users with more information about its policies, stop combining information from different sources when it is not legally justified, and guarantee to delete personal data after set periods, the authorities told Google on Tuesday in a formal letter to CEO Larry Page signed by the members of the Article 29 Working Party (A29WP), which brings together data protection authorities from across the European Union.
In February, the authorities wrote to Google asking it to delay introduction of the policy, warning that it appeared to breach European privacy laws. Google refused, prompting the A29WP to ask the French National Commission on Computing and Liberty (CNIL) to conduct a full investigation.
"I regret that Google did not want to wait. It would have been much better otherwise for the privacy of hundreds of millions of users of Google's services," said Jacob Kohnstamm, chairman of the A29WP and also head of the Dutch data protection authority, at a news conference in Paris.
Google didn't cooperate fully with the investigation, said CNIL president Isabelle Falque-Pierrotin. Despite being sent detailed questionnaires about its policies, it replied with examples and not precise statements.
In the March policy changes, Google combined many different privacy policies in one, and said it may use information from many different sources to modify the behavior of any its services.
Explicit consent is required for advertising, analytics
European privacy law allows such combination of data in certain cases, including where the user requests it, for security, for the provision of a Google account and for academic research.
However, there are four cases in which explicit consent is required from the service user, said Falque-Pierrotin, including product development, advertising and analytics. Google should seek that consent from its users before combining data to those ends, and also provide them with a way to opt out, Falque-Pierrotin said.
The company should also explain more clearly what data it stores, and for how long, she said.
The members of the A29WP only sent their letter to Page on Tuesday, but they had already presented their recommendations to Google on 19 September, she said.
Those recommendations include ensuring that it complies with Article 5(3) of the European ePrivacy Directive, the so-called Cookie Directive; rolling out to all countries the version of Google Analytics designed to meet German privacy laws, and simplifying opt-out procedures and making them all accessible from a single page.
Even for users not logged in to a Google service, there are four different places they must opt out of Google advertising data collection, said Gwendal Le Grand, head of CNIL's technical advisory team. "If you want to opt out today, it's very long and it's not easy to find how to do it.
Although the members of the A29WP set no firm deadline for Google to take action, Falque-Pierrotin said she expected Google to make a commitment to change its policy within three or four months. If it did not, then she expected that a number of national data protection authorities would take action.
Financial sanctions do not make much difference
The financial sanctions that Google faces are tiny. In a recent case involving the illegal collection of Wi-Fi data by Google's Street View cars, CNIL fined the company €100,000 (£16,000). Google reported a net profit of £1.73 billion ($2.79 billion) for the second quarter, on revenue of £7.59 billion ($12.21 billion).
"It's not the size of the fine that's important," said Falque-Pierrotin. She is counting on the bad publicity that will result if Google does not change its ways.
The A29WP's action had also received the support of data protection authorities in other countries, including Australia, Canada, Mexico and Hong Kong.
Things are a little different in the US, said Kohnstamm: the Federal Trade Commission there is already taking its own action against Google.
However, he said, he expects the concerted action of all the other data protection authorities to send a clear message to Google - and to other big Internet companies - that they are serious in their demands, and that privacy protection is something on which companies can compete to win customers.