Google 'spins invisible web' with user data, Dutch watchdog says

Web giant's practice of combining user data from its different services violates data protection law, the agency says.

Steven Musil Night Editor / News
Steven Musil is the night news editor at CNET News. He's been hooked on tech since learning BASIC in the late '70s. When not cleaning up after his daughter and son, Steven can be found pedaling around the San Francisco Bay Area. Before joining CNET in 2000, Steven spent 10 years at various Bay Area newspapers.
Expertise I have more than 30 years' experience in journalism in the heart of the Silicon Valley.
Steven Musil
2 min read

Google's practice of combining user data from its different services without user consent violates Dutch data protection law, the country's privacy watchdog said Thursday.

A 2012 overhaul of Google's privacy policy gave the company the right to "combine personal information" across multiple products, including payment information and location data. However, the Dutch Data Protection Authority found that the company does not adequately inform users of the practice in advance nor seek their consent.

"Google spins an invisible web of our personal data, without our consent. And that is forbidden by law," DPA Chairman Jacob Kohnstamm said in a statement. The finding won't immediately result in any enforcement measures, but Google has been invited to a hearing to determine if such measures are necessary.

Google raised the ire of privacy advocates in January 2012 with a privacy policy rewrite that would grant it explicit rights to "combine personal information" across multiple products and services. The simplified privacy policy, which would replace 60 privacy policies for different services, would only improve the user experience, Google argued.

Opponents of the change sued, saying the move was designed to increase the company's advertising effectiveness. EU officials asked that Google delay implementing its new policy until the privacy implications can be analyzed, but the Web giant declined, saying it had it extensively pre-briefed privacy regulators on the changes and that no objections were raised at the time.

The controversial changes led to lawsuits from the Electronic Privacy Information Center and the Center for Digital Democracy, among others.

After a months-long inquiry into the legality of the changes, French privacy watchdog Commission Nationale de l'Informatique et des Libertes (CNIL) asked Google in October 2011 to amend the policy within four months to better inform users on how their data would be used and set more precise limits on how long data would be retained. In April, the CNIL announced "coordinated and simultaneous enforcement actions" with five other European countries because Google had not implemented any "significant compliance measures."

Google, for its part, has maintained that its privacy policy isn't illegal and that the company has consistently cooperated with investigators.

"Our privacy policy respects European law and allows us to create simpler, more effective services," Al Verney, a Brussels-based spokesman for Google, told Bloomberg. "We have engaged fully with the Dutch data protection authority throughout this process and will continue to do so going forward."