By Dan Cooper

On 16 October, 2012, the French data protection authority, the CNIL, released a report on behalf of the Article 29 Working Party that examines Google’s compliance with European data protection law.  The report marks a new stage in an investigation which began nine months ago, when Google announced that it intended to change its online privacy policy.  The report finds that Google’s new privacy policy (which came into effect on March 1) does not yet comply with European law in a number of important respects, and challenges Google to commit publicly to certain European data protection principles, including principles of “purpose limitation” and “data minimization”.

The report, released together with an annex, makes a number of recommendations to Google, including, for example, recommendations:

  • That Google enhance its notices to users by becoming more specific about what types of data Google processes and combines, and for which services; by introducing new interactive privacy notices; by adding more in-product and product-specific privacy information; and so on.
  • That Google simplify the various opt-out mechanisms that it provides to users, and to make them available in “one place”;
  • That Google obtain explicit user consent for the combination of user data for certain purposes.

A variety of other recommendations are also made in the Annex (for example, Google is asked to clarify that users are not required to sign up to Google Accounts using their real names).

In a morning press conference, CNIL President Isabelle Falque-Pierrotin said that she would allow Google a period of “a few months” to respond to the recommendations.  If Google takes no action by that time, she said the CNIL will consider litigating against Google in national French courts.

In a separate letter, other data protection authorities, from Australia, Canada, Mexico, Hong Kong and Macao (representing the Asia Pacific Privacy Authorities Forum) also endorsed the findings.