The CNIL announced in a press release on Thursday that it has issued a formal notice to Google Inc. that requires the search engine to provide clear and sufficient information to users about how their data is being used. In particular, the Paris based regulator wants Google to:

  • Define specified and explicit purposes to allow users to understand practically the processing of their personal data;
  • Inform users by application of the provisions of Article 32 of the French Data Protection Act, in particular with regard to the purposes pursued by the controller of the processing implemented;
  • Define retention periods for the personal data processed that do not exceed the period necessary for the purposes for which they are collected;
  • Not proceed, without legal basis, with the potentially unlimited combination of users’ data;
  • Fairly collect and process passive users’ data, in particular with regard to data collected using the “Doubleclick” and “Analytics” cookies, “+1” buttons or any other Google service available on the visited page; and
  • Inform users and then obtain their consent in particular before storing cookies on their terminal.

By way of background, from February to October 2012, the Article 29 Working Party (“WP29”) carried out an investigation into Google’s new privacy policy to assess its compliance with the European Data Protection Directive. On the basis of its findings, published in a report on 16 October 2012, the WP29 asked Google to implement its recommendations within four months. According to Thursday’s press release, Google has not implemented any significant compliance measures since then.

France is thus the first national regulator to take concrete actions against Google in relation to its new Privacy Policy, which essentially allowed Google to combine user data from its various services. In the meantime, other regulators have also started formal proceedings against Google and it is expected that the CNIL notice will be the first of several enforcement measures by national  Data Protection Authorities (“DPAs”): the national regulators of Spain, Italy, UK, The Netherlands, and the regional DPA of Hamburg in Germany have either already started formal proceedings or are strongly considering it.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Dan Cooper Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing…

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his “level of expertise is second to none, but it’s also equally paired with a keen understanding of our business and direction.” It was noted that “he is very good at calibrating and helping to gauge risk.”

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as the IAPP’s European Advisory Board, Privacy International and the European security agency, ENISA.