The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee

Google in the Crosshairs of the European Data Protection Authorities

Leave a comment

The following post of the first of a series of guest posts written by students from the US and from all over the world. If you are interested to write a post on a privacy or data security issue, please contact Bridget Calhoun or Marie-Andrée Weiss. The PRIS Committee extends a special invitation to foreign students for whom English is a second language. The following post is written by Clara Steimlé, a law student in France.

On April 2nd, 6 of the 27 European data protection authorities (DPAs) started legal actions against Google. Despite several warnings, Google did not take any measures to avoid this step.

The story began in March 2012 when Google set up a new Privacy Policy, which integrated in to only one all the privacy policies of its sixty or so services, thus allowing Google to gather Google users’ personal data and to create very precise profiles.

A few months later, in October, 2012, the European DPAs, united in the Article 29 Working Party (G29), which is an independent advisory body on data protection and privacy, asked Google, after consultation of an evaluation made by the French DPA, the Commission Nationale de l’Informatique et des Libertés (CNIL), for more complete and clearer information. The G29 thought that Google’s Privacy Policy did not meet the requirements of Directive 95/46/EC, the Data Protection Directive. The G29 then gave Google 4 months to put itself in conformity.

Pursuant to the Data Privacy Directive, data controllers must inform clearly and precisely the data subjects about the purpose of the data processing and also must respect the principle of data minimization. In particular, the G29 blamed Google on three main points.

First, Google does not supply its users with enough information about how it processes data. Users are not informed about Google’s data collection practices and Google doesn’t make any difference between personal data and special categories of data.

Secondly, Google does not give its users the power to control when their personal data is combined among its numerous different services. However, the DPAs did not criticize the principle to include all privacy policies in one. Lastly, Google does not specify the retention period for the data it collects.

During the audit of October 2012, the G29 had made recommendations to Google which, however, were not followed. The CNIL considered that Google should supply control to users over their data and to simplify their right to opt-out.

In spite of these recommendations, Google did not comply.

On March 19th, 2013, a working group met with representatives of Google but no change was implemented. The French, German, Spanish, Italian, Dutch and British DPAs thus decided to each start legal actions against Google in their respective countries.

Google is moreover known to engage in a bit of arm wrestling and to give in only when it no longer has any excuses not to do so. At the moment, it considers it did not violate European laws. The penalties that Google could incur would be different in each of the European Union countries which chose to start legal actions against Google, but could amount to up to 2% of its total global sales.

Nevertheless, the process is not irreversible as no legal action has yet been started, but could happen by the end of summer and penalties pronounced by the end of 2013. However, Google may give in before, not under the threat of financial penalties, but by fear of degrading its reputation.

Clara Steimlé is a LL.M. student at the University of Strasbourg in France. She graduated in 2012 from the University of La Sorbonne in Paris, where she studied international business law. She expects to graduate with a LL.M. in e-commerce economic law in September 2013. Her studies focus on data protection law, e-commerce law, and Intellectual Property. After graduation, she plans to take the French bar exam and practice IP/IT law, with a focus on international law.

Author: marieandreeweiss

Marie-Andrée was educated in France and in the United States, and holds law degrees from both countries. She is fully bilingual English-French, and writes articles regularly in these two languages on various privacy-related topics. Marie-Andrée is a member of the Bar of the State of New York. As an attorney in solo practice, she focuses on intellectual property, First Amendment, privacy, and Internet-related issues. Before becoming an attorney, she worked several years in the fashion retail industry, as a buyer then a director of marketing. She is a member of the New York State Bar Association (Intellectual Property Section and International Section), and of the American Bar Association (Business Law Section, Section of Antitrust Law, and Section of Intellectual Property Law)

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s