Data protection authorities announce investigations into Google's privacy policy

Data protection authorities announce investigations into Google's privacy policy


Author: Aisling Duffy and Joanna Davis

On 2 April 2013, data protection authorities across the EU - including the Information Commissioner's Office (ICO) - announced that they are now investigating whether Google's privacy policy complies with national data protection laws.

The investigation was prompted by allegations that Google failed to implement recommendations issued to it by the EU Working Party in October 2012.


On 1 March 2012, Google updated its terms of service and consolidated more than 60 of its privacy policies into a single policy for almost all its services. This enabled Google to aggregate users' personal data from across their accounts and services, including Gmail, Google Play, Google+, internet searching, maps, YouTube, location data and photo sharing.

As a result, the EU's Article 29 Working Party asked the French data protection regulator, the CNiL, to lead an investigation into Google's new privacy policy. The CNiL was asked to examine whether Google's privacy policy complies with the requirements set out in the Data Protection Directive.

What were the Working Party's findings and recommendations?

In October 2012, the CNiL reported that Google's privacy policy did not fully meet the requirements of the Data Protection Directive.

A letter was sent to Google outlining the recommendations of the EU data protection authorities, which was individually signed by 27 European data protection authorities.

The CNiL reported that Google had failed to provide clear and comprehensive information about the categories of data that each Google service processes, the extent of Google's processing activities and the purposes for which each service processes personal data. It also reported that users did not always have sufficient control in deciding which of Google's services collected and used data about them.

The CNiL expressed concern that Google could potentially collect and use excessive amounts of data, as any online activity related to Google (use of its services, Android system or consultation of third party websites using Google's services) could be gathered and combined by Google.

The report also highlighted that the data collected was used for a wide range of different purposes (including product development, security and advertising), but that the policy did not distinguish between different types of processing.

The CNiL subsequently issued various recommendations to Google, which included suggestions to:

  • provide clearer information to users about the data collected and the purposes for which each Google service processes personal data
  • offer clear 'opt out' mechanisms, so that users are free to opt out of having their data collected for particular services
  • limit the amount of data Google stores about users and the potential uses of the data, and incorporate mechanisms to distinguish between different uses of the data

The ICO investigates

The CNiL gave Google four months to comply with its recommendations and to upgrade its privacy policy practices. This time period has now expired, and it is reported that Google has not implemented any significant compliance measures.

The ICO has now announced that it has launched an investigation into whether Google's privacy policy is compliant with the Data Protection Act 1998.

The ICO will be joined by the data protection authorities of France, Germany, Italy, the Netherlands and Spain, which have also announced they will investigate the issue to determine whether Google's privacy policy complies with their respective national data protection legislation.

In a statement, Google has said that its privacy policy 'respects European law'.

What is the potential impact of these investigations?

The investigations into Google highlight the importance of having a clear and well drafted privacy policy.

Privacy policies should be tailored so that they effectively inform individuals what personal data is collected and how it is stored and processed by that organisation.

Organisations should consider whether or not their privacy policy can be clearly understood by users, and whether or not users are given sufficient choices about how their personal data is processed.

Google is undoubtedly a big player in the online environment, so these investigations are likely to be of great interest to other online providers.