Google has four months to make its privacy policy comply with requests from European Union data protection watchdogs or start facing the possibility of disciplinary action at a national level.
France’s Commission Nationale de l’Informatique, working on behalf of the EU’s 27 national data regulators, said on Tuesday it had found legal flaws with a new approach to user data that Google adopted in March.
Among CNIL’s concerns was the way the US group combines anonymous data from users’ browsing histories across its services to better target advertising.
That led the national regulators to issue 12 recommendations for Google to bring its privacy policy into line, including better informing users on how data will be used, and setting precise periods for data to be retained.
Google global privacy counsel Peter Fleischer said the company would examine the results of the investigation, adding it remained confident its privacy policy respected EU law.
CNIL president Isabelle Falque-Pierrotin said regulators were prepared to talk to Google, adding: “If Google does not conform in the allotted time, we will enter into the disciplinary phase”.
Google can either negotiate with the regulators and change elements of its privacy policy or challenge their authority to impose changes in court. The data protection watchdogs that examined the privacy policy cannot rule on the legality of Google’s approach since they are not a court of law.
