We have previously reported on the different requests and repeated questionnaires the Commission nationale de l’informatique et des libertés (CNIL) has sent to Google over the past few months regarding the evaluation of Google’s compliance with applicable European Data Protection Regulation concerning its new integrated privacy policy, as well as the new integrated platform launched March 1, 2012, despite the CNIL’s demand to postpone such launch.

In an unprecedented step, the CNIL, which had been designated by all the other European Data Protection Authorities (Working Party 29) to carry out this evaluation, arranged for the Working Party 29 (WP29) as a whole, with the signature of all 29 heads of the respective Authorities, to send a highly publicized letter to Google October 16, 2012, with a 10-page document listing a full set of recommendations on how Google should work in order to ensure compliance.

The conclusions of the WP29 are unusually severe despite the previous back-and-forth between Google and the CNIL over the past months:

  • Google does not inform its users properly concerning its data processing operations. In other words, the WP29 still considers, as the CNIL did from the very beginning, that it is impossible for users to get a sense of what data will be/is processed by Google, and how.
  • Google does not provide any data retention periods. This remark shows growing concern on the part of regulators about data retention and the necessary information to users and regulators any data controller has to provide specifically in that regard, which Google failed to do in the WP29’s view.
  • The WP29 urges Google to “modify its practices when combining data across services for these purposes,” not only by being transparent about the data combinations performed across its integrated platform between the various services, but also and primarily in:
    • Obtaining the users’ consent for such combinations (the WP29 suggests that no data combination occurs before the users voluntarily click a “Search Plus Your World” button in that respect)
    • Facilitating the users’ opt-out from such combinations
    • And last, but not least, “adapting the tools used by Google for the combination of data so that it remains limited to the authorized purposes,” in order to differentiate between what belongs to advertisement purposes and what belongs to security

The WP29 also provides explicit guidance on the way such transparency requirements need to be performed: through three-levels of product-specific information displayed to the users; “interactive presentations”; more and explicit information as to the impact of the processing on the users, through the adaptation of such information to mobile users; and last, but not least, through ensuring that passive users are also properly informed.

Also very interesting is the fact that the CNIL outlined in its presentation this week that the WP29 is backed in its request to Google by all Asia Pacific Privacy Authorities, as well as by the Canadian Privacy Commissioner.

The conflict between the CNIL and Google has therefore escalated into a global issue and has been taken up by a significant number of regulators across the world that have adopted a firm common position against Google’s integrated platform. Without any doubt, European regulators and the CNIL in particular, have shown their muscle in what can be seen as a precedent.

This conflict is now entering into a new phase: Google is required to answer to the CNIL, not on how it is processing data, but also on how it will finally comply.

The CNIL has indicated that it would not hesitate to enter into a contentious phase in France if necessary.