Google could face fines from six European countries’ privacy regulators, including the UK and Germany, after refusing to reverse changes to its privacy policies made in March last year.
The search company has infuriated the regulators by declining to respond to their demands made over multiple months — even as research shows that user concerns about online privacy are high.
France’s privacy body, CNIL, together with its counterparts in the UK, Netherlands, Germany, Spain and Italy, said on Tuesday they would take joint legal action involving an investigation and possible fines.
The UK’s Information Commissioner’s Office (ICO) can levy fines of up to ￡500,000 (US$754,400) for breaches of the Data Protection Act. A decision is expected by this summer. CNIL could fine it up to 300,000 euros (US$384,150).
However, even both fines added together would be less than Google generates in sales in 10 minutes. Yet the regulators could sue to block Google from operating in Europe — a move that would be highly damaging to its reputation.
Google’s rival Facebook has been forced in the past to make a number of changes to its operation to comply with Europe’s data protection laws, which are significantly tougher — but more fragmented — than those in the US.
After an earlier data protection investigation concluded in October last year, CNIL said in a statement on Tuesday that “the EU Data protection authorities asked Google to comply with their recommendations within four months.”
“After this period has expired, Google has not implemented any significant compliance measures,” the statement said.
The agencies complained of being stonewalled by Google for over a year about their concerns that its unification of more than 60 separate privacy policies last year could confuse users and leave them unsure how their data was being used.
“We put our concerns to Google [in October] and gave them a date to respond,” a spokesperson for the ICO said. “They failed to respond. We had a meeting in March and Google was present, and gave them a deadline to respond. They failed to respond. Google has failed to address the concerns or take on board the recommendations from the meeting held last month.”
Sources at Google said the company filed a response to the October recommendations in January, but added “no change [in privacy policies] isn’t the same as no response.”
The rolling-up of the policies sparked an investigation led by CNIL last year. Google’s intent was to combine user data from the different services, so that videos watched on YouTube would inform the choice of advertising shown when doing Google searches or reading Gmail.
In October, CNIL and the other regulators criticized the changes, and demanded alterations. Google declined to do so.
“Consumers are increasingly concerned about how their data is being used, and it is essential that those breaking the law are properly punished. It is essential regulators find a sanction that is not just a slap on the wrists and will make Google’s think twice before it ignores consumer rights again,” Pickles said.