From March to October 2012, the Article 29 Working Party investigated Google’s privacy policy with the aim of checking whether it met the requirements of the European Data Protection Directive (95/46/CE). In view of the findings of this analysis which was published on 26 October 2012, the EU Data protection authorities asked Google to comply with their recommendations within four months.
This period has expired and Google is said not to have implemented any significant compliance measures.
On 19 March 2013, representatives of Google Inc. were invited at their request to meet with the taskforce led by the CNIL and composed of the data protection authorities of France, Germany, Italy, the Netherlands, Spain, and the UK. According to the CNIL, the lead investigative authority, no change has been seen.
The CNIL press release states that the Article 29 Working Party’s analysis is now said to be finalized : ‘It is now up to each national data protection authority to carry out further investigations according to the provisions of its national law transposing European legislation.’
The consequnce is that all the authorities composing the taskforce launched actions on 2 April 2013 on the basis of the provisions laid down in their respective national legislation (investigations, inspections, etc.)
In particular, the CNIL notified Google of the initiation of an inspection procedure and that it had set up an international administrative co-operation procedure with its counterparts in the taskforce.
A Google spokesman said: ‘Our privacy policy respects European law and allows us to create simpler, more effective services. We have engaged fully with the DPAs involved throughout this process, and we’ll continue to do so going forward’.
The Information Commissioner’s Office made a statement which is short and to the point :
‘The ICO has launched an investigation into whether Google’s revised March 2012 privacy policy is compliant with the Data Protection Act. The action follows an initial investigation by the French data protection authority CNIL, on behalf of the Article 29 group of which the ICO is a member. Several data protection authorities across Europe are now considering whether the policy is compliant with their own national legislation. As this is an ongoing investigation it would not be appropriate to comment further.’