Why France Keeps Threatening Google with Tiny Fines

After over a year and a half of ignored requests that evolved in to ultimatums, France's privacy watchdog commission, CNIL, is threatening sanctions against Google for changes the company made to its privacy policy in March 2012. The commission believes the policy violates French data protection laws and inadequately protects Google users.

If you'll think back to early 2012, Google was really forward about the fact that its privacy policy was changing, but critics said it wasn't terribly forthcoming about what exactly would change. It took a letter from eight members of the House of Representatives to get Google to explain that it was essentially removing the seperation between Google's search, Youtube, and other Google services, in order to improve its users' Google experiences.

Starting in February 2012, the EU assigned the Article 29 Data Protection Working Party to look into Google's policies, and mandated that the CNIL head it. The Working Party also requested that Google delay implementing its new privacy policy until the regulators could review it, which Google declined to do. In the course of its analysis of Google, which holds a dominant 80 percent of the European search market, the regulators sent questionaires to Mountain View about changes to its privacy policy. Google answered them, but CNIL still found the answers lacking, saying that, "Google's answers have not demonstrated that your company endorses the key data protection principles of purpose limitation, data quality, data mininization, proportionality and a right to object."

In October 2012, roughly seven months after Google's privacy policy changed, the Article 29 Data Protection Working Party addressed a letter to Mr. Page October 2012 that expressed its concerns with its findings. Specifically it was concerned that:

• Google provided insufficient information to users on what kind of data was being collected and why.
• Google is collecting and combining the data while at the same time, the company "does not collect the unambiguous consent of the user" to do so.
• Google didn’t provide retention period details outlining how long it was holding on to data.

The regulators wanted Google to “develop interactive presentations that allow users to navigate easily through the content of the policies,” and have tiered privacy protections, opt-out mechanisms, and make explicit what it was collecting and why—especially to protect people who were “passive users” and the “non-authenticated,” who hadn't agreed to anything save for through the implied consent of using the website. The letter noted that, the "protection of the individual’s fundamental rights and freedoms overrides Google’s legitimate interests to collect such a large database, and no contract justifies this large combination of data."

The October letter ended with them asking Google to let the French authorities know how long this would take.

In June 2013, CNIL issued a much more irritated article saying that “Google has not implemented any significant compliance measures," and that this was unacceptable. The internet giant was given an ultimatum. Google had three more months to define what it was collecting and why, define how long the data would be kept, and to make its users aware of what of their data was going where. It was also “not [to] proceed, without legal basis, with the potentially unlimited combination of users’ data." If Google didn't shape up in time, it would face sanctions in France. Legal action from data protection authorities in Spain, Italy, Germany, the UK and the Netherlands would also follow.

According to a press release issued by CNIL last week Google waited until the last day of the three-month limit to send a response which “contested the reasoning followed by the CNIL, and notably the applicability of the French data protection law to the services used by residents in France. Therefore, it has not implemented the requested changes.”

Google, for its part, issued a statement saying that "Our privacy policy respects European law and allows us to create simpler, more effective services. We have engaged fully with the CNIL throughout this process, and we'll continue to do so going forward." Inquiries as to why, if this was the case, CNIL was threatening sanctions were not returned.

Google could owe France “150,000 euros ($202,755) for the violation, and then another 300,000 euros if it still refuses to comply three months after the first fine,” according to Seth Rosenblatt at CNET, which is as much as French law allows. Fines from the other threatening countries are also drops from Google's considerable bucket. According to IT News for Australian Business, "Spain can impose fines of up to 1 million euros, while the German Data Protection Act caps penalties at 300,000 euros."

There is a partial irony in an organization funded by the French government going after a company for collecting data, when the French government has its own NSA-style data gathering program.

Having six different nations threatening Google also underscores how much easier Europe-wide privacy regulation, like the proposed data reform law, would make things, both for companies working in the European market, and for regulators chasing companies in violation.