February 2012 will last as a milestone of an unprecedented fight between the Working Party 29, which comprises the European Data Protection Agencies, and Google.
Google has highly publicised the forthcoming launch of an integrated platform that is deemed to allow a better tracking of the user’s personal data and in particular to advertise with adds related to previous online searches of the user.
On February 27, the President of the CNIL sent a letter to Google’s CEO Larry Page that, in another unprecedented move, has been published on the CNIL’s website.
Neither is the information about what Google will not do with the data (such as sharing personal data with advertisers) considered as sufficient in the CNIL’s valuation.
(2) Moreover, the CNIL raises important concerns about the platform itself, on two separate issues.
First, the fact that the integrated platform combines data across services raises the CNIL’s concerns since its preliminary investigation shows “that it is extremely difficult to know exactly which data is combined between which services for which purposes, even for trained privacy professionals”. Second, such combination being mainly done by using cookies, the CNIL raises the issue of the preliminary consent of the user provided in Article 5(3) of the revised ePrivacy Directive, and implemented under applicable French regulation.
The CNIL concludes here also that it has, with the Working Party 29, “strong doubts about the lawfulness and fairness of such processing, and about its compliance with European Data Protection legislation”.
The CNIL finally urges Google to “pause” the launch of the platform, announcing that it will fully address this question in the following weeks and send a questionnaire to Google, outlining that such questionnaire will also comprise “other related aspects of Google’s data processing activities”.
The fact that this strong warning is now issued directly by one of Europe’s most powerful and restrictive Data Protection Authorities shows doubtlessly an escalation in this matter, the CNIL having strong enforcement powers: it can fine non complying data controllers to up to 300,000 euros per offence.
Finally, this letter sets a strong warning signal showing the caution with which European Data Protection authorities are monitoring the development of “intelligent advertising”.