Google's new privacy policy breaches European law, say data regulators

Google should delay introduction of the policy until European regulators have completed an investigation of the changes

Google's new privacy policy does not comply with European data protection law, and the company should delay its introduction pending an investigation of the changes, the French data privacy regulator told Google CEO Larry Page in a letter on Monday. But the company said once again that it will press ahead with the new policy, set to go live on Thursday.

The French National Commission on Computing and Liberty (CNIL) wrote to Page to express the concerns of the Article 29 Working Group, an umbrella body for data protection regulators from European Union member states.

Page did not respond directly: The company's reply was signed on behalf of Google Global Privacy Counsel Peter Fleischer.

The Article 29 Working Group's chairman, Jacob Kohnstamm, had already written to Page on Feb. 2 asking the company to delay introduction of the new policy, but Google said then it had no intention of doing so.

In Google's latest refusal to comply, Fleischer said: "We have been keen to meet with the CNIL as lead authority on this matter and have reached out to your office on several occasions both prior to and since receiving Mr Kohnstamm's letter."

But, he continued, "Google are not in a position to pause the worldwide launch of our new privacy policy. [...] To pause now would cause a great deal of confusion for users."

User confusion is one of the reasons that CNIL and the other European data protection regulators want Google to reconsider its new policy.

The new policy essentially says that Google will use information from any one of its services to influence the performance of any of the others -- so someone's search results may be influenced by the content of their Gmail messages or the videos they watched on YouTube, or by their contacts, friends and followers across Google services.

CNIL president Isabelle Falque-Pierrotin told Google she welcomed Google's attempts to streamline and simplify its policies, but said that this should not happen at the expense of transparency or reader comprehension.

"The new privacy policy provides only general information about all the services and types of personal data Google processes. As a consequence, it is impossible for average users who read the new policy to distinguish which purposes, collected data, recipients or access rights are currently relevant to their use of a particular Google service. The fact that Google informs users about what it will not do with the data (such as sharing personal data with advertisers) is not sufficient to provide comprehensive information either," she wrote.

But beyond usability, there is also the question of whether the new policy is legal. On that point, Falque-Pierrotin was emphatic.

"Google's new policy does not meet the requirements of the European Directive on Data Protection," she told Page, before reiterating the working group's earlier demand that Google suspend introduction of the new policy until the group has finished analyzing it.

That analysis could take time, though. Falque-Pierrotin said that CNIL will send Google a questionnaire about its policy changes, and other aspects of its data-processing activities, by mid-March, and that it will study the policy changes' compliance with the law "in the following weeks."

Concern over Google's policy changes in Europe mirrors that in the U.S., where 36 state attorneys general wrote to Page on Feb. 22 saying that Google's new policy does not give users sufficient chance to opt out of Google's tracking.

Google has said that anyone who doesn't like the new policy can simply stop using its services -- but that won't be so easy for users of Android phones, who the attorneys general are concerned would find it virtually impossible to stop using Google services while still using their phones.

Peter Sayer covers open source software, European intellectual property legislation and general technology breaking news for IDG News Service. Send comments and news tips to Peter at

Join the CSO newsletter!

Error: Please check your email address.

More about CounselEUGoogleIDG

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Peter Sayer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts