Six European privacy regulators launch formal investigations of Google's privacy policy

Six European data protection authorities will conduct formal investigations of Google's privacy policy after the company repeatedly rejected their requests that it reverse changes it made to the policy last March, they announced Tuesday.

Data protection authorities in France, Germany, Italy, the Netherlands, Spain and the U.K. have resolved to conduct investigations or inspections of Google's privacy policy, following an initial investigation by the French data protection authority. The precise nature of the actions will depend on how the European Data Protection Directive has been transposed in their respective national laws.

In Germany, Hamburg's Commissioner for Data Privacy and Freedom of Information said it will review the way in which Google processes users' data. Although Google seeks their consent, it is impossible for users to foresee the scope of this consent, Commissioner Johannes Caspar warned in a news release.

Analyses compiled by CNIL raise questions about the legality of Google's processing of personal data, Caspar said.

The six countries will now take a close look at Google's compliance with the law. "Should the data protection concerns be confirmed, appropriate supervisory measures may be taken in the individual member states," he said.

The French National Commission on Computing and Liberty (CNIL) said it has notified Google of the initiation of an inspection procedure.

The U.K.'s Information Commissioner's Office followed suit. An ICO spokesman confirmed the investigation into whether the March 2012 privacy policy is compliant with the Data Protection Act, and added, "As this is an ongoing investigation it would not be appropriate to comment further."

The Dutch data protection authority was similarly circumspect: "We are starting an investigation," said spokeswoman Lysette Rutgers, adding that her organization never comments on the content of any investigation.

A Google spokeswoman offered the same response the company has made since the beginning of CNIL's investigation: "Our privacy policy respects European law and allows us to create simpler, more effective services. We have engaged fully with the DPAs involved throughout this process, and we'll continue to do so going forward."

The six data protection authorities working on the case are all members of the Article 29 Working Party (A29WP), which brings together data protection authorities from across the European Union. Last year it mandated CNIL to begin an investigation on its behalf, after the company repeatedly refused to answer questions about its plans to introduce a new privacy policy.

CNIL published a report on Oct. 26 giving Google four months to comply with its recommendations. It failed to make any significant changes within that period, CNIL said Tuesday, and it is now up to the E.U.'s individual member states to take appropriate action based on its report.

(Loek Essers in Amsterdam contributed to this report.)

Peter Sayer covers open source software, European intellectual property legislation and general technology breaking news for IDG News Service. Send comments and news tips to Peter at

Join the CSO newsletter!

Error: Please check your email address.

Tags GoogleregulationsecuritylegalFrench National Commission on Computing and Liberty (CNIL)legislationgovernmentArticle 29 Working PartyprivacyInformation Commissionner's Office

More about GoogleICOIDG

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Peter Sayer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts