Want CNET to notify you of price drops and the latest stories?

French could serve up fines to Google for privacy violation

Google might face hundreds of thousands of dollars in fines in France for privacy violations. Small potatoes to the company, but the ruling could portend a more difficult relationship between Europe and Google.

Seth Rosenblatt Former Senior Writer / News
Senior writer Seth Rosenblatt covered Google and security for CNET News, with occasional forays into tech and pop culture. Formerly a CNET Reviews senior editor for software, he has written about nearly every category of software and app available.
Seth Rosenblatt
4 min read
On the day of Google's 15th birthday, French regulatory agency CNIL prepares to sanction the company. Google/Screenshot by CNET

French privacy watchdog CNIL said Friday that it plans to sanction Google following the search giant's refusal to implement privacy policy changes demanded by the group.

Google could owe France 150,000 euros ($202,755) for the violation, and then another 300,000 euros if it still refuses to comply three months after the first fine. However, CNIL has not ruled on what sanctions, if any, it will demand of the company. That news is expected sometime in the next week.

Not surprisingly, Google says that it's in compliance with the law. "Our privacy policy respects European law and allows us to create simpler, more effective services. We have engaged fully with the CNIL throughout this process, and we'll continue to do so going forward."

CNIL regulators disagreed with that assessment. "On the last day of the three-month time period given to Google, Inc., the company contested the reasoning followed by the CNIL, and notably the applicability of the French data protection law to the services used by residents in France," the agency wrote on its Web site.

The next step is for CNIL to appoint a rapporteur to initiate the possibility of sanctions, which could include the fines. CNIL is asking that Google:

  • Define specified and explicit purposes;
  • Inform users with regard to the purposes of the processing implemented;
  • Define retention periods for the personal data processed;
  • Not proceed, without legal basis, with the potentially unlimited combination of users' data;
  • Fairly collect and process passive users' data;
  • Inform users and then obtain their consent in particular before storing cookies in their terminal.
  • Privacy experts are watching the case closely, because it could be the first in a new round of attempts by European governments to keep large American data-and-services companies like Google and Facebook in check with stricter enforcement of existing laws.

    The case is important, said the Electronic Privacy Information Center's executive director, Marc Rotenberg, "because the changes that Google made to its privacy policies in March of 2012 were opposed by many people."

    Rotenberg is referring to Google's unified privacy policy, which gave it the legal protection to share user data between its different services such as Gmail and YouTube, and is at the heart of the CNIL decision.

    Sarah Downey, a privacy and law analyst with privacy-focused startup Abine, said that some of what CNIL is demanding is "very reasonable."

    "Google should be able to answer how long they hold onto your data," she said.

    Justin Brookman, the head of the Center for Democracy and Technology's Project on Consumer Privacy, said that Google is "probably more concerned about [Federal Trade Commission] enforcement than European regulator enforcement," noting that the company had to pay a $22 million fine for tracking cookie violations in Safari.

    While Downey said that Google should be able to answer basic questions about what it's doing with your data, Brookman explained that Google might not know, and that could be part of why it's willing to take the hit from European regulators.

    "From Google's perspective, they're probably not sure what they're going to do with the data right now. 'People trust us with the data, but we're going to do awesome things with it because we're Google.'"

    Brookman did lament Google's lack of forthrightness in how long it keeps user data, echoing Downey, CNIL, and other privacy experts.

    "It's ironic and hypocritical that Google wants to be able to talk about what's happening with the NSA, but they don't want to talk about what's happening with their own company," Downey said.

    While Rotenberg said that it's important not to rush to conclusions on how CNIL will sanction Google, he did say that the situation has become more complex because of the National Security Agency spying.

    "From the European perspective, [the NSA spying] is pretty much a nightmare because you worry about your commercial and confidential information becoming available to your international competitors," he said.

    Even after CNIL makes a decision about what to do with Google, the company is not likely to stay out of regulators' crosshairs for long. One potential target, Rotenberg said, is Hummingbird, the company's new search engine algorithm.

    "Hummingbird is completely a black box. They have no idea what it does; nobody has access to the code; and no one can evaluate it," he said.

    "I'm not trying to gang up on Google here. But it's an enormous irony that they want more to be available, but are very private with their own data."

    Also being discussed are what Downey described as "big changes" to the European Union's privacy rules. One of these, the hotly debated "right to be forgotten," would let you remove yourself from the Internet.

    "It seems like Google is just going to keep getting in trouble," she said, but she doesn't think that potential changes will affect how the company handles user privacy.

    "Will it change how Google does business? I don't see why it would," she said.