[JURIST] The Commission Nationale de l’Informatique et des Libertes (CNIL) [official website], an independent data protection oversight authority set up by the French government, has fined [press release] Google [corporate website] €150,000 after Google failed to act upon CNIL’s order [JURIST report] to bring Google’s methods tracking and storing user information into compliance with French data privacy law [text, PDF]. CNIL has ordered [Reuters report] Google to post a response to the decision on the Google France homepage within 8 days from last Friday. In March 2012 Google consolidated all 60 privacy policies for its services into one and began combining data collected on individual users across all its services without permitting users to opt-out, which CNIL states is in violation of French data laws. The organization also states that:
[Google] does not sufficiently inform its users of the conditions in which their personal data are processed, nor of the purposes of this processing. They may therefore neither understand the purposes for which their data are collected, which are not specific as the law requires, nor the ambit of the data collected through the different services concerned. Consequently, they are not able to exercise their rights, in particular their right of access, objection or deletion.
CNIL also criticized Google for failing to obtain user consent prior to storing cookies on users’ terminals, failing to define retention periods for the data Google processes, and for combining all of the data it collects across all services without any legal basis.
Google has faced international criticism for alleged privacy violations. In November the Dutch Data Protection Authority (DPA) [official website] stated that Google [corporate website] was in violation [JURIST report] of the country’s data protection act. Earlier that month, the Regional Court of Berlin held that 25 of Google’s privacy policies and terms of service violated [JURIST report] Germany’s data protection law. Last September the US Court of Appeals for the Ninth Circuit [official website] denied a motion [JURIST report] to dismiss a lawsuit against Google for allegedly violating a federal wiretap law while collecting data for its Street View [corporate website] program. The case arose after Google acknowledged that its Street View vehicles had been collecting and storing data over unencrypted Wi-Fi networks, including personal e-mails, usernames, passwords, videos and documents. In April Google agreed to a $7 million settlement [JURIST report] of another case for alleged improper data collection during its Street View campaign. That same month, six European countries, including France, commenced legal action [JURIST report] against the corporation challenging its privacy policies, which has generated scholarship [JURIST op-ed] over how European response to Google’s privacy policies could impact the US.