Google's new privacy policy begins. Does it break the law?

The European Union's Justice Commission says that several agencies across the Eurozone have serious worries about the Internet titan's "simple" privacy experience.

Don Reisinger
CNET contributor Don Reisinger is a technology columnist who has covered everything from HDTVs to computers to Flowbee Haircut Systems. Besides his work with CNET, Don's work has been featured in a variety of other publications including PC World and a host of Ziff-Davis publications.
Don Reisinger
4 min read

Today is the big day. But not everyone is too excited about it.

Google has officially implemented its new, combined privacy policy. On the company's Privacy Policy page, Google describes everything from how it collects information across its many sites to what it does with all that information.

After announcing plans in January to implement a combined privacy policy that covers all of its many services, the search company said that it would make for a "beautifully simple, intuitive user experience."

"The main change is for users with Google Accounts. Our new Privacy Policy makes clear that, if you're signed in, we may combine information you've provided from one service with information from other services," Alma Whitten, director of privacy, product and engineering, wrote in a blog post at the time. "In short, we'll treat you as a single user across all our products, which will mean a simpler, more intuitive Google experience."

But not everyone is too pleased the search giant went forward with the change. In a letter dated February 27 and obtained today by CNET, France's data protection authority, the Commission Nationale de l'Informatique et des Libertes (CNIL), wrote to Google CEO Larry Page saying that the privacy policy might not be lawful under European Union rules.

"The CNIL and the EU data protection authorities are deeply concerned about the combination of personal data across services," the letter reads. "They have strong doubts about the lawfulness and fairness of such processing, and about its compliance with European Data Protection legislation."

CNIL has been conducting an investigation into Google's new privacy policy for the last several weeks. The organization says that it took the lead in the analysis after being invited to do so by the EU's Article 29 Working Party. The group has asked Google to "pause" its privacy policy implementation--something that has fallen on deaf ears at Google headquarters.

The European Union's Justice Commissioner, Viviane Reding, has come out in full support of the French initiative, and has even chastised Google for ignoring the CNIL's calls.

"I support the French data protection authority's request to Google to delay the introduction of its new privacy policy until questions about the policy's compliance with EU data protection rules have been resolved," Reding said in a statement to CNET. "It is unfortunate that Google has gone ahead with the new policy before addressing the French data protection authority's concerns.

"All companies that offer services to European consumers must provide their customers with clear information about their privacy policy," she continued. "In Europe, consumers must be able to make informed decisions about using Internet-based services."

Reding has been leading an EU-wide fight for data protection since January when she and her team unveiled a comprehensive reform that would attempt to improve the safekeeping of user data across the Internet.

"Today, vast amounts of personal data are transferred and exchanged, across continents and around the globe in fractions of seconds," Reding said in a statement at the time. "The protection of personal data is a fundamental right for all Europeans, but citizens do not always feel in full control of their personal data. My proposals will help build trust in online services because people will be better informed about their rights and in more control of their information."

Reding proposed that Web users have ready access to all their data, and have the ability to transfer it from one service to another. Reding would also like to see companies operating in the EU to destroy user data when there is no "legitimate grounds for retaining it." If the European Parliament and Member States approve the proposals, they would be implemented two years after adoption.

But that's not a near-term issue for Google. Recent concerns over the privacy policy change, however, are more worrisome.

Soon after Google announced the change, it was posed several questions by U.S. lawmakers who were concerned it might hurt users. In its 13-page response, Google said that the revision is designed to make things "simpler," and that it has been doing this "for a long time." The company also confirmed that it's not collecting more data from its users.

That wasn't enough for the Center for Digital Democracy, which filed a complaint with the U.S. Federal Trade Commission last month, saying that Google wasn't divulging the "real reason" it wants to change its privacy policy: advertising.

"In particular, Google fails to inform its users that the new privacy regime is based on its own business imperatives: to address competition from Facebook' to grow its capacity to finely profile and target through audience buying; to collect, integrate, and utilize a user's information in order to expand its social media, social search, and mobile marketing activities ... and generally to expand its DoubleClick (advertising) operations," the complaint read.

According to a Tokyo Times Report published today, even Japan's government has issued a warning to Google, saying it must be careful with user data under the new privacy policy or face violations to the country's data-protection laws.

Google has not immediately responded to CNET's request for comment on its possible legal troubles.