Today the Dutch CBP- College Bescherming Persoonsgegevens (college for the protection of personal data) announced that it has concluded Google’s unified privacy policy, which went in to effect in March 2012, is against Dutch laws governing private information online.
After Google announced in January 2012 that it would introduce its new unified privacy policy, the French data protection authority (CNIL) launched an investigation on behalf of all European data protection agencies. This investigation resulted in findings published in October 2012, which concluded that Google provided insufficient information to its users on which data it collects, and that this data was combined across different Google services in ‘uncontrolled combinations’.
Following from those initial conclusions, six different national privacy authorities in France, Germany, UK, Italy, Spain, and the Netherlands, launched their own independent investigations. The Dutch CBP’s conclusions follows on from similar conclusions in France, Germany, and the UK. So far Google doesn’t appear to have complied completely to any of these previous judgements.
According to the CBP’s conclusions, the pervasiveness of Google services and platforms ensure that the company “reaches almost every person in the Netherlands with internet access. It is almost impossible not to use Google services on the Internet.” Even when people don’t use any Google service, their activities online are still tracked when they visit one of the millions of websites that show advertising powered by Google’s ad platforms.
The CBP states:
“Google combines the personal data from internet users that are collected by all kinds of different Google services, without adequately informing the users in advance and without asking for their consent. The investigation shows that Google does not properly inform users which personal data the company collects and combines, and for what purposes.”
The chairman of the CBP, Jacob Kohnstamm, says that “Google spins an invisible web of our personal data, without our consent. And that is forbidden by law.”
With these findings now published, the CBP has invited Google to attend a hearing, after which they’ll decide whether to ‘take enforcement measures’. What this means for Google services in the Netherlands is unclear, though it seems likely Google will have to be more transparent about the information it collects from Dutch internet users, and allow people to opt out of this data collection.
Or it could just do what it’s been doing to date, with remarkable success; stall any legal escalation of its ongoing violation of European privacy laws. It would seem rather drastic legal repercussions are required to make the company behave according to European law.
According to Dutch news sources a Google spokesperson stated that “our privacy policy respects European law and allows us to create simpler and more efficient services.”
Read the full findings of the CBP here.