Security Experts:

Connect with us

Hi, what are you looking for?



EU Watchdogs Tell Google to Clarify Privacy Policy

European Union data regulators have given Google four months to modify its privacy policy or face possible fines and enforcement actions.

European Union data regulators have given Google four months to modify its privacy policy or face possible fines and enforcement actions.

Google needs to offer more detailed information about what it does with users’ personal data and specify how long the data is kept, EU privacy watchdogs said in a letter sent to Google on Tuesday. Regulators had reviewed Google’s new privacy policy, and concluded the company needed to create simpler tools that would allow users more control over how their data is used. The recommendations were signed by regulators from 27 of the 29 EU countries.

When the new privacy policy was unveiled earlier this year, Google had said if users are signed into their Google accounts, user data from one Google service can be combined with data collected in other Google services to be used for targeted advertising. Under the policy, Google would be able to mash together user Web-search history, with videos watched on YouTube, and data taken out of the user’s Android device. By collapsing distinct privacy policies from about 60 services into one single system, Google would be able to recommend content that was more relevant to users, the company said at the time.

EU privacy chiefs did not agree, suggesting Google may be violating specific EU data laws.

“It is not possible to ascertain from the analysis that Google respects the key data protection principles of purpose limitation, data quality, data minimization, proportionality and right to object,” Commission Nationale de l’Informatique, France’s privacy agency that took the lead in this inquiry, said in a statement on Tuesday.

“The privacy policy suggests the absence of any limit concerning the scope of the collection and the potential uses of the personal data,” according to CNIL. Google did not disclose its retention period when the regulators asked for more information, but analysis of the available information indicated some services have retention periods of as long as 18 months or two years.

It’s also not clear to users which data would be used for product development, advertising, or research.

EU issued 12 recommendations that would bring the privacy policy in line with what EU requires, such as clearly setting a retention period and better ways to inform users on how the data is being used. Google should also implement notices such as “interactive presentations” and allow “users to navigate easily” through the policies. Google should make it easier to opt out of data collection and also allow users to sign in to one Google service while using another anonymously at the same time, the regulators said.

Google has four months to implement changes before each agency can purse enforcement action, according to CNIL. Penalties and actual enforcement authority varies by country.

“If Google does not conform in the allotted time, we will enter into the disciplinary phase,” CNIL president Isabelle Falque-Pierrotin told Reuters.

“We have received the report and are reviewing it now. Our new privacy policy demonstrates our long-standing commitment to protecting our users’ information and creating great products. We are confident that our privacy notices respect European law,” Peter Fleischer, global privacy counsel at Google, told SecurityWeek in an emailed statement.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content


U.S. fighter jets successfully shot down the high altitude spy balloon launched by and belonging to China.

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...


Meta was fined an additional $5.9 million for violating EU data protection regulations with WhatsApp messaging app.


The EU's digital policy chief warned TikTok’s boss that the social media app must fall in line with tough new rules for online platforms...


The U.S. is tracking a suspected Chinese spy balloon spotted over U.S. airspace, officials said on Feb. 2, 2023.

Cloud Security

AWS has announced that server-side encryption (SSE-S3) is now enabled by default for all Simple Storage Service (S3) buckets.

Mobile & Wireless

As smartphone manufacturers are improving the ear speakers in their devices, it can become easier for malicious actors to leverage a particular side-channel for...


Many in the United States see TikTok, the highly popular video-sharing app owned by Beijing-based ByteDance, as a threat to national security.The following is...