Google faces wrath of European regulators over unified privacy policy

When Google(s goog) abruptly unified its privacy policies a year ago, data protection authorities in France reckoned the result broke EU law. The French regulator, CNIL, subsequently took up the cause on behalf of its peers across the various European nations, and sent Google a comprehensive list of questions about the change. Then, in October, following unsatisfactory responses from Google, the regulators came back with a series of recommendations for the company.
Google did not implement the recommendations within the allotted four months, even after a meeting in March with CNIL and data protection authorities (DPAs) from Germany, the UK, the Netherlands, Spain and Italy. And now we see the result. According to a CNIL statement on Tuesday:

“It is now up to each national data protection authority to carry out further investigations according to the provisions of its national law transposing European legislation. Consequently, all the authorities composing the taskforce have launched actions on 2 April 2013 on the basis of the provisions laid down in their respective national legislation (investigations, inspections, etc.)
“In particular, the CNIL notified Google of the initiation of an inspection procedure and that it had set up an international administrative cooperation procedure with its counterparts in the taskforce.”

The UK Information Commissioner’s Office (ICO) also confirmed that it had opened an investigation to check whether the privacy policy complies with that country’s Data Protection Act (each EU member state transposes EU law into its own version, and there are sometimes variations in interpretation).
Google, meanwhile, said in a statement that its privacy policy “respects European law and allows us to create simpler, more effective services”. “We have engaged fully with the DPAs involved throughout this process, and we’ll continue to do so going forward,” the company added.

What did Google do wrong?

The main problems with the privacy policy, according to the regulators, are that Google doesn’t provide clear and comprehensive information about the data it collects and what it uses the data for, and that it also doesn’t give users control over the way data is mixed and matched across different services.
The DPAs want Google to give its users “the opportunity to choose when their data are combined, for instance with dedicated buttons in the services”, as well as a centralized opt-out for data collection. They also want Google to be much clearer with its users about the way it gathers and exploits their data, ideally “with three levels of detail to ensure that information complies with the requirements laid down in the [Data Protection] Directive and does not degrade the users’ experience”.
So what happens if Google fails to satisfy the DPAs? As this is now being dealt with on a national basis, that depends on the DPA. In the case of the UK ICO, Google could in theory be hit with a monetary penalty of up to £500,000 ($758,000), but it could also be forced to change its processes and practices.
It’s not hard to see the benefit of Google unifying its services, but the DPAs do have a point about the levels of information and control afforded to Google’s customers. It must surely be possible for both Google and the regulators to get their way, although the variable there is the ability of the users to understand and act on the information and controls they are given.
In the new realpolitik required by the collision of big data and privacy, perhaps people will need to start getting used to this kind of granularity.