The Dutch data protection authority, the College Bescherming Persoonsgegevens (CBP), has released a report following a seven-month investigation examining Google’s changes to its privacy policy. CBP’s report condemns Google for violating Dutch data protection law, the Wet bescherming persoonsgegevens (Wbp).

Controversially in March 2012, Google made changes to its privacy policy (GPP2012) to allow the combination of data collected from all of its services (including Google Search, Google Chrome, Gmail, Google DoubleClick advertising, Google Analytics, Google Maps and YouTube, as well as cookies via third-party websites).  Most significantly, CBP found that Google failed to demonstrate that adequate safeguards had been put in place to ensure the combination of data in this manner was limited to that which was strictly necessary, and Google was therefore in breach of Article 8 Wbp.

CBP also found that in breach of Article 33 & 34 Wbp, GPP2012 demonstrated a lack of information as to Google’s identity as data controller, and the types and extent of data collected or the purposes for which Google needs to combine this data. GPP2012 states that the purpose of its data-processing activities is ‘the provision of the Google service’. CBP found this statement to be ambiguous and insufficiently specific. CBP held without any legal grounds for processing, that Google had no legitimate purpose to collect data in this manner and was therefore found in breach of Article 7 Wbp.

Furthermore, and specifically in relation to Google’s data-processing activities associated with tracking cookies, CBP declared Google in breach of Article 11.7a of the Dutch telecommunications act Telecommunicatiewet (Tw), which requires unambiguous consent. CBP found that Google failed to offer any prior options to consent, reject or later opt out of such data-processing activities. CBP reiterated it was insufficient for Google to claim that acceptance of its general terms of service and privacy policy amounted to consent.

Jacob Konstamm, CBP Chairman, commented, “Google spins an invisible web of our personal data, without consent. That is forbidden by law.” In response, Google commented, “Our privacy policy respects European law and allow us to create simpler, more effective services…We have engaged fully with the Dutch DPA throughout this process and will continue to do so going forward.”