France gave Google Inc. (GOOG:US) three months to amend its policy regarding Internet users’ data to avoid fines, and said five other European countries will follow suit by the end of July.
The U.S. search engine giant is breaching French laws because it “prevents individuals from knowing how their personal data may be used and from controlling such use,” France’s National Commission for Computing and Civil Liberties, the country’s data protection watchdog known as CNIL, said today in a statement in Paris. It ordered Google to comply with the French Data Protection Act.
“France, Spain, the U.K. at the start of next week and Germany at the end of next week will all take a formal and official decision to start repressive proceedings against Google, and a second salvo will come from Italy and the Netherlands by the end of July,” Isabelle Falque-Pierrotin, Chairwoman of the French authority, said.
Google faces probes across Europe over changes to harmonize privacy policies for more than 60 products last year. Global data protection regulators this week wrote to the Mountain View, California-based company urging Chief Executive Officer Larry Page to contact them about possible issues with its web-enabled eyeglasses, called Google Glass.
CNIL is also asking the owner of the Gmail messaging system to request users’ permission for “the potentially unlimited combination” of their data, ask users’ approval to collect their data with tools such as the “Doubleclick” and “Analytics” cookies, “+1” buttons or any other Google service on third-party websites, and “inform users and then obtain their consent in particular before storing cookies in their terminal.”
The formal notice “isn’t very prescriptive,” Falque-Pierrotin said. “We’re leaving Google some leeway to reach compliance.”
CNIL can levy a maximum fine of 150,000 euros ($198,200), and 300,000 euros in case of a repeated offense, she said. Other regulators may impose sanctions of up to 1 million euros, potentially exposing Google to “several million euros” of fines on top of damaging its image, she said.
The French watchdog’s most severe fine to date was 100,000 euros against Google in 2011 for breaches related to its Street View mapping service. Hamburg’s data privacy regulator in April fined Google 145,000 euros for collecting wireless-network data from 2008 to 2010 by its cars taking photos for the Street View service.
Data protection regulators from the 27-nation EU, that make up the so-called Article 29 Data Protection Working Party, wrote to Google Chief Executive Officer Larry Page last October, saying the company “empowers itself to collect vast amounts of personal data about Internet users” without demonstrating that this “collection was proportionate,” and asking the company to bring its policy in line with EU rules.
In Spain, Google risks fines of as much as 300,000 euros for violating privacy rules, the country’s data protection regulator said today. The Spanish authority opened a sanctions procedure after initial investigations found there may have been at least five serious infringements.
The Italian authority said in a statement it will request more information from Google and will study the company’s response before deciding whether to impose sanctions. The data protection watchdog in Hamburg, where Google has its main German base, leads the probe in Germany in coordination with other local regulators. It has opened a formal probe against Google.
The Dutch privacy authority as part of its investigation will first issue a confidential report and then request Google’s responses, said CNIL. The final outcome may include fines. The U.K. privacy watchdog will soon write to Google with its initial conclusions, according to CNIL.
Viviane Reding, the EU’s justice commissioner, last year proposed an overhaul of the bloc’s data-protection law to allow national authorities to fine companies as much as 2 percent of yearly global sales for “intentionally or negligently” violating the rules. The plans are under consideration by the European Parliament and EU governments.
“Time is running out for Google to get serious about data protection” and the case gives “yet another reason why we have no time to lose on the EU’s data protection reform,” she said in a posting on Twitter.
To contact the reporters on this story: Francois de Beaupuy in Paris at email@example.com; Stephanie Bodoni in Luxembourg at firstname.lastname@example.org.
To contact the editors responsible for this story: Simon Thiel at email@example.com; Anthony Aarons at firstname.lastname@example.org