The investigation was prompted by allegations that Google failed to implement recommendations issued to it by the EU Working Party in October 2012.
On 1 March 2012, Google updated its terms of service and consolidated more than 60 of its privacy policies into a single policy for almost all its services. This enabled Google to aggregate users' personal data from across their accounts and services, including Gmail, Google Play, Google+, internet searching, maps, YouTube, location data and photo sharing.
What were the Working Party's findings and recommendations?
A letter was sent to Google outlining the recommendations of the EU data protection authorities, which was individually signed by 27 European data protection authorities.
The CNiL reported that Google had failed to provide clear and comprehensive information about the categories of data that each Google service processes, the extent of Google's processing activities and the purposes for which each service processes personal data. It also reported that users did not always have sufficient control in deciding which of Google's services collected and used data about them.
The CNiL expressed concern that Google could potentially collect and use excessive amounts of data, as any online activity related to Google (use of its services, Android system or consultation of third party websites using Google's services) could be gathered and combined by Google.
The report also highlighted that the data collected was used for a wide range of different purposes (including product development, security and advertising), but that the policy did not distinguish between different types of processing.
The CNiL subsequently issued various recommendations to Google, which included suggestions to:
- provide clearer information to users about the data collected and the purposes for which each Google service processes personal data
- offer clear 'opt out' mechanisms, so that users are free to opt out of having their data collected for particular services
- limit the amount of data Google stores about users and the potential uses of the data, and incorporate mechanisms to distinguish between different uses of the data
The ICO investigates
What is the potential impact of these investigations?
Privacy policies should be tailored so that they effectively inform individuals what personal data is collected and how it is stored and processed by that organisation.
Google is undoubtedly a big player in the online environment, so these investigations are likely to be of great interest to other online providers.