In 2012, the search giant “consolidated” the privacy policies for 60 of its services including Google Search, YouTube, Gmail, Picasa, Google Drive, Google Docs and Google Maps, thereby combining personal information about people using the search engine, Gmail, other Google accounts or even just accessing a website that places or reads cookies from Google.
After a general investigation led by France, formal investigations were launched by the UK, Germany, Italy, Spain and the Netherlands into the policy’s compliance with EU data protection law. Spain and France have already fined the Chocolate Factory: €900,000 and €150,000 respectively.
Now the Netherlands looks set to follow suit. The College Bescherming Persoonsgegevens (Dutch DPA) has decided that combining disparate data about, for example, search queries, location, videos and emails without adequate consent is in breach of the law. It has given the search behemoth until the end of February to make changes.
Unambiguous consent of users can be achieved via a separate consent screen, but not through the general privacy terms and conditions, said the DPA.
This reflects the overall view held by European data protection authorities. In September, a joint letter from Europe’s data protection chiefs to Eric Schmidt said Google cannot expect users to read the Terms of Service update in order to be informed about their privacy rights.
Google must provide clear, unambiguous and comprehensive information regarding its data processing activities - specifically what is done by which bit of the internet monster. In particular Google must give clear information about the fact thAT YouTube is part of Google, they said.
Google says it has already taken steps to appease the DPAs.
“Google catches us in an invisible web of our personal data without telling us and without asking us for our consent. This has been going on since 2012 and we hope our patience will no longer be tested,” said Dutch DPA chief Jacob Kohnstamm. ®