France orders Google to change its privacy policies

Charged with violations of the French Data Protection Act, the search giant is under the gun to rework how it handles personal data.

Lance Whitney Contributing Writer
Lance Whitney is a freelance technology writer and trainer and a former IT professional. He's written for Time, CNET, PCMag, and several other publications. He's the author of two tech books--one on Windows and another on LinkedIn.
Lance Whitney
2 min read

Google has three months to clean up its privacy act in France or else.

On Thursday, French regulator CNIL (Commission nationale de l'informatique et des libertes) charged that Google's policies for collecting user data continue to violate French law. If the company doesn't modify those policies within the next three months, it would be fined 150,000 euros (almost $198,000). A second fine of 300,000 euros (almost $396,000) would follow if Google still fails to comply, Reuters reported.

Specifically, Google has been ordered to implement the following changes, as outlined by the CNIL:

  • Define specified and explicit purposes to allow users to understand practically the processing of their personal data.
  • Inform users by application of the provisions of Article 32 of the French Data Protection Act, in particular with regard to the purposes pursued by the controller of the processing implemented.
  • Define retention periods for the personal data processed that do not exceed the period necessary for the purposes for which they are collected.
  • Not proceed, without legal basis, with the potentially unlimited combination of users' data.
  • Fairly collect and process passive users' data, in particular with regard to data collected using the "Doubleclick" and "Analytics" cookies, "+1" buttons or any other Google service available on the visited page.
  • Inform users and then obtain their consent in particular before storing cookies in their terminal.

From February to October of 2012, the CNIL led an investigation into Google's privacy policies to determine if they were in compliance with European law. Based on its findings, the group asked Google in October to revise its policies within four months. But Google has yet to made any "significant compliance measures," the CNIL charged.

If Google doesn't comply, it faces more than just the wrath of French regulators.

"By the end of July, all the authorities within the (EU data protection) task force will have taken coercive action against Google," CNIL President Isabelle Falque-Pierrotin said, according to Reuters.

As a result, the company potentially faces fines of several million euros across Europe.

"The CNIL's threat of a 300,000 euro fine will have no effect whatsoever on Google," William Keylor, a professor of international relations and history at Boston University, told CNET.

"It would seem that such a mild threat is intended for domestic consumption to appeal to a French public anxious about threats to its privacy," Keylor said. "But if the current investigations undertaken by the French and other European governments result in significantly stiffer financial penalties, that might very well force the company to review its policies on data collection."

In response to the CNIL's order, Google sent CNET this statement: "Our privacy policy respects European law and allows us to create simpler, more effective services. We have engaged fully with the authorities involved throughout this process, and we'll continue to do so going forward."

Update, 7:15 a.m. PT: Adds response from Google.

Update, 10:05 a.m. PT: Adds input from a professor of international relations and history at Boston University.