[JURIST] European regulators led by the French National Commission on Computing and Freedom (CNIL) [official website] on Tuesday urged [letter, PDF; press release]
Google provides insufficient information to its users (including passive users), especially on the purposes and the categories of data being processed. As a result, a Google user is unable to determine which categories of data are processed in the service he uses, and for which purpose these data are processed. … [The policy] allows Google to combine almost any data from any services for any purposes. … Combination of data … requires an appropriate legal ground and should not be incompatible with the purpose for which these data were collected. … Google does not collect the unambiguous consent of the user … [and] the protection of the individual’s fundamental rights and freedoms override Google’s legitimate interests to collect such a large database. … Google empowers itself to collect vast amounts of personal data about internet users, but Google has not demonstrated that this collection [is] proportionate to the purposes for which they are processed.
CNIL further asserts its expectation that Google will “take effective and public measures” in addressing privacy concerns. The letter was signed by the policy regulators from 27 European countries.
Google has already faced sharp opposition to its new policy around the world. In August Google agreed [JURIST report] to pay a record fine of $22.5 million to the Federal Trade Commission (FTC) [official website] after being charged with tracking users’ search histories and targeting ads to those users in violation of a previous privacy settlement. In March EU’s Justice Commissioner Vice-President Viviane Reding [official website] declared that Google’s new policy violated EU privacy laws [JURIST report], and EU data authorities voiced concern about the sharing and combination of personal data across services and its compliance with European data protection legislation [text]. Google has also faced criticism for its policy in the US where the US District Court for the District of Columbia [official website] in late February dismissed a suit [JURIST report] filed by consumer privacy group Electronic Privacy Information Center (EPIC) [advocacy website] asking the FTC to block Google’s then proposed changes. In addition, the National Association of Attorneys General (NAAG) [official website] in February sent a letter [JURIST report] to Google signed by 36 state attorneys general expressing concerns about the company’s new privacy policy. In January Google issued a letter in response to concerns raised by members of Congress [JURIST reports] regarding consumer privacy rights as impacted by the new policy.