Google’s CEO, Larry Page, now belongs to the happy few who enjoy direct and regular contact with the CNIL’s president, Mrs. Falque-Pierrotin: he received on 19 March another letter from the French Data Protection Authority’s president pursuant to Google’s decision to launch its new integrated platform 1 March, despite the CNIL’s strong warning to postpone it.

This platform now integrates, in particular, services such as Google Search, Google+, YouTube, Analytics, DoubleClick, +1, Google Location Services and Google Android-based software.

Pursuant to the CNIL’s announcement, this second letter – which is again publicised on the CNIL’s website – contains a 12-page questionnaire divided into not less than 69 main questions on Google’s new privacy policy.

The CNIL outlines in its cover letter that the questionnaire was elaborated in collaboration with the other European DPAs within the Working Party 29.

Whilst the CNIL previously expressed serious doubts about the compliance of the said policy with the European Data Protection Directive (95/46/CE), questions such as “Please provide the legal basis for the combination of data across different services, with respect to article 7 of the Data Protection Directive (95/46/CE)” (Question No. 32) no longer show such doubts concerning the response.

The CNIL focuses on several issues in its questionnaire:

  • The transition to the new privacy policy, in order to verify how and how many users were informed of it
  • The services proposed as well as the collected data: in both regards, the CNIL asks for a list of the services concerned by the integrated platform, and for the different data categories concerned
  • The purposes of the processing, in particular how “more relevant search results and ads” are provided to the users
  • The new data retention policy
  • The data owner’s rights and consent, which is obviously a major source of concern:
    • How is the “explicit consent” of the users obtained by Google? In particular, did Google request an explicit consent from users having a Google account before the transition?
    • Why did Google remove the opt-out option given to users in its previous privacy policies for the combination of information and for other services in general?
    • How is the opt-in option given to users for personally identifiable information monitored, and which data does such option cover?
    • How is the user’s consent obtained for cookies?
    • How is the user’s right to oppose organized and granted?
    • How can the user opt out from personalized advertising? The CNIL provided a detailed and comprehensive schedule based on the different kinds of personalised ads (deriving from queries, site visits, clicks, etc.) and depending on the user category: passive, non-authenticated and authenticated user. Google is requested to complete this schedule and provide explanations for each kind of personalised ads.
  • The Terms of Service of the new policy: the CNIL asks in particular how these Terms of Service apply to personal data uploaded by users
  • The legitimacy of data connection between services, in which the CNIL directly asks for the legal basis on the grounds of which Google proceeds to such connection (!)
  • The user’s information in general, including concerning the use of mobile android platforms

The CNIL gave Google until 5 April to respond to its questionnaire. The cover letter mentions that the CNIL “encourages” Google “to provide detailed and specific answers to each question”, concluding, not without a strong sense of irony, that Google’s responses will be treated confidentially, unless Google authorizes the CNIL to publicise them…

The length of the CNIL’s questionnaire and the general tone of the questions are strong indicators for the seriousness of the CNIL’s analysis, and its willingness to obtain that the first major “intelligent advertisement” system complies with applicable data privacy regulation.