A Dutch regulator on Thursday said that Google’s privacy policy update in March 2012 that covers all the online services offered by the search giant is in breach of local laws. “Google spins an invisible web of our personal data, without our consent,” Jacob Kohnstamm, chairman of the College for the Protection of Personal Data said. “And that is forbidden by law.” In a press release, the regulator said that Google is collecting information about its users through various services and combines the obtained data in order to deliver tailored ads and content to users.
But Google isn’t informing users adequately about the data combining process, nor does it offer them an option to consent to or reject the personal data processing done by the company. The regulator said that the general terms of service introduced by Google starting with March 1, 2012 are not enough, as local law requires that users give explicit consent for their personal data to be used in such a manner. According to the watchdog’s report, there are three kind of Google users that are tracked by the company: people who have Google accounts, people who don’t have Google accounts but still use public Google services that do not require logins including Google Search and YouTube and people who do not use Google at all, but whose online activities are still tracked by the company’s ad cookies found on more than 2 million websites.
The regulator has invited Google to attend a hearing, after which it will decide whether it will take any action against the company. In addition to the Netherlands, five other countries in the region are investigating Google’s privacy policy including France, Spain, Germany, U.K. and Italy. Spain has already initiated sanction proceedings against Google, finding that Google Spain and Google Inc. may be committing six infractions against the local data protection law. Google faces fines of up to $408,000 in the region.
Google spokesman Al Verney said that Google’s privacy policy respects European law, and allows the company to create “simpler, more effective services,” The Associated Press reports. Verney also said that Google had engaged full with the Dutch investigation, and it will continue to do so.
Dutch DPA: privacy policy Google in breach of data protection law
Press release, 28 november 2013
The combining of personal data by Google since the introduction of its new privacy policy on 1 March 2012 is in breach of the Dutch data protection act [Wet bescherming persoonsgegevens]. This is the conclusion of the investigation by the Dutch data protection authority [College bescherming persoonsgegevens]. Google combines the personal data from internet users that are collected by all kinds of different Google services, without adequately informing the users in advance and without asking for their consent. The investigation shows that Google does not properly inform users which personal data the company collects and combines, and for what purposes. “Google spins an invisible web of our personal data, without our consent. And that is forbidden by law”, says the chairman of the Dutch data protection authority, Jacob Kohnstamm.
The Dutch DPA has invited Google to attend a hearing, after which the authority will decide whether it will take enforcement measures.With its services, Google reaches almost every person in the Netherlands with internet access. It is almost impossible not to use Google services on the Internet. Many internet users use the search engine Search, the videoservice YouTube or the webmail Gmail. In the Report, three types of users of Google services are distinguished: people with a Google account, people without a Google account that use the open services of Google such as Search and YouTube, and people that do not use Google. Google also collects data about this last group of users, when they for example visit one of the more than 2 million websites worldwide with Google advertising cookies.
The investigation shows that Google combines personal data relating to internet users that the company obtains from different services. Google does this, amongst others, for the purposes of displaying personalised ads and to personalise services such as YouTube and Search. Some of these data are of a sensitive nature, such as payment information, location data and information on surfing behaviour across multiple websites. Data about search queries, location data and video’s watched can be combined, while the different services serve entirely different purposes from the point of view of users. Google does not adequately inform users about the combining of their personal data from all these different services. On top of that, Google does not offer users any (prior) options to consent to or reject the examined data processing activities. The consent, required by law, for the combining of personal data from different Google services cannot be obtained by accepting general (privacy) terms of service.
In January 2012, Google announced that by 1 March 2012 the new privacy policy would apply to all users worldwide. The French data protection authority (CNIL) then initiated an investigation on behalf of all European data protection authorities (united in the Article 29 Working Party). This resulted in findings, that have been published in October 2012. After this initial investigation (with reference to the European Privacydirective), six national privacy authorities, in France, Germany (Hamburg), the UK, Italy, Spain and the Netherlands have decided to initiate national investigations, based on their own national laws.