Google's practice of combining user data from its different services without user consent violates Dutch data protection law, the country's privacy watchdog said Thursday.
"Google spins an invisible web of our personal data, without our consent. And that is forbidden by law," DPA Chairman Jacob Kohnstamm said in a statement. The finding won't immediately result in any enforcement measures, but Google has been invited to a hearing to determine if such measures are necessary.
Opponents of the change sued, saying the move was designed to increase the company's advertising effectiveness. EU officials asked that Google delay implementing its new policy until the privacy implications can be analyzed, but the Web giant declined, saying it had it extensively pre-briefed privacy regulators on the changes and that no objections were raised at the time.
The controversial changes led to lawsuits from the Electronic Privacy Information Center and the Center for Digital Democracy, among others.
After a months-long inquiry into the legality of the changes, French privacy watchdog Commission Nationale de l'Informatique et des Libertes (CNIL) asked Google in October 2011 to amend the policy within four months to better inform users on how their data would be used and set more precise limits on how long data would be retained. In April, the CNIL announced "coordinated and simultaneous enforcement actions" with five other European countries because Google had not implemented any "significant compliance measures."