CNIL, the French data protection regulator, has sent a letter to Google on behalf of the Article 29 Working Party setting out a number of concerns with Google’s privacy policy. The Article 29 Working Party is made up of representatives of the data protection regulators from each European Union member state. In addition to sending the letter to Google, CNIL has also issued a list of recommendations for Google to comply with to deal with the CNIL’s concerns. CNIL has said that, if Google does not implement the recommendations within “months”, it will face litigation.
In March, Google consolidated its 60 privacy policies across its range of services and consolidated it into one all-encompassing privacy policy. The Article 29 Working Party unsuccessfully pressured Google to postpone the move, and asked CNIL to conduct an investigation once Google had made the change.
CNIL has said that the change that Google has made has no “valid legal basis”, and that Google should make sure that it has the consent of its users to combine personal data across its services. CNIL also said that Google’s current privacy policy does not give a user enough information about why personal data is collected and how it is used. It also recommended that there should be an opt-out for users who do not want their personal data combined across Google’s services.
Although CNIL has not directly accused Google of breaching European Union data protection laws, it has said that Google’s actions do not “respect” various aspect of the law.