By Dan Cooper

On 16 October, 2012, the French data protection authority, the CNIL, released a report on behalf of the Article 29 Working Party that examines Google’s compliance with European data protection law.  The report marks a new stage in an investigation which began nine months ago, when Google announced that it intended to change its online privacy policy.  The report finds that Google’s new privacy policy (which came into effect on March 1) does not yet comply with European law in a number of important respects, and challenges Google to commit publicly to certain European data protection principles, including principles of “purpose limitation” and “data minimization”.

The report, released together with an annex, makes a number of recommendations to Google, including, for example, recommendations:

  • That Google enhance its notices to users by becoming more specific about what types of data Google processes and combines, and for which services; by introducing new interactive privacy notices; by adding more in-product and product-specific privacy information; and so on.
  • That Google simplify the various opt-out mechanisms that it provides to users, and to make them available in “one place”;
  • That Google obtain explicit user consent for the combination of user data for certain purposes.

A variety of other recommendations are also made in the Annex (for example, Google is asked to clarify that users are not required to sign up to Google Accounts using their real names).

In a morning press conference, CNIL President Isabelle Falque-Pierrotin said that she would allow Google a period of “a few months” to respond to the recommendations.  If Google takes no action by that time, she said the CNIL will consider litigating against Google in national French courts.

In a separate letter, other data protection authorities, from Australia, Canada, Mexico, Hong Kong and Macao (representing the Asia Pacific Privacy Authorities Forum) also endorsed the findings.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Dan Cooper Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing…

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his “level of expertise is second to none, but it’s also equally paired with a keen understanding of our business and direction.” It was noted that “he is very good at calibrating and helping to gauge risk.”

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as the IAPP’s European Advisory Board, Privacy International and the European security agency, ENISA.