European Union data regulators have given Google four months to modify its privacy policy or face possible fines and enforcement actions.
Google needs to offer more detailed information about what it does with users’ personal data and specify how long the data is kept, EU privacy watchdogs said in a letter sent to Google on Tuesday. Regulators had reviewed Google’s new privacy policy, and concluded the company needed to create simpler tools that would allow users more control over how their data is used. The recommendations were signed by regulators from 27 of the 29 EU countries.
When the new privacy policy was unveiled earlier this year, Google had said if users are signed into their Google accounts, user data from one Google service can be combined with data collected in other Google services to be used for targeted advertising. Under the policy, Google would be able to mash together user Web-search history, with videos watched on YouTube, and data taken out of the user’s Android device. By collapsing distinct privacy policies from about 60 services into one single system, Google would be able to recommend content that was more relevant to users, the company said at the time.
EU privacy chiefs did not agree, suggesting Google may be violating specific EU data laws.
“It is not possible to ascertain from the analysis that Google respects the key data protection principles of purpose limitation, data quality, data minimization, proportionality and right to object,” Commission Nationale de l’Informatique, France’s privacy agency that took the lead in this inquiry, said in a statement on Tuesday.
“The privacy policy suggests the absence of any limit concerning the scope of the collection and the potential uses of the personal data,” according to CNIL. Google did not disclose its retention period when the regulators asked for more information, but analysis of the available information indicated some services have retention periods of as long as 18 months or two years.
It’s also not clear to users which data would be used for product development, advertising, or research.
EU issued 12 recommendations that would bring the privacy policy in line with what EU requires, such as clearly setting a retention period and better ways to inform users on how the data is being used. Google should also implement notices such as “interactive presentations” and allow “users to navigate easily” through the policies. Google should make it easier to opt out of data collection and also allow users to sign in to one Google service while using another anonymously at the same time, the regulators said.
Google has four months to implement changes before each agency can purse enforcement action, according to CNIL. Penalties and actual enforcement authority varies by country.
“If Google does not conform in the allotted time, we will enter into the disciplinary phase,” CNIL president Isabelle Falque-Pierrotin told Reuters.
“We have received the report and are reviewing it now. Our new privacy policy demonstrates our long-standing commitment to protecting our users’ information and creating great products. We are confident that our privacy notices respect European law,” Peter Fleischer, global privacy counsel at Google, told SecurityWeek in an emailed statement.