EU regulators call on Google to modify privacy policy

European data-protection authorities on Tuesday called on Google to modify its privacy policy and provide a clearer explanation of how it collects and uses consumer data.

In a letter sent to Google chief executive Larry Page, European data protection regulators from 27 countries argued that Google provides "insufficient information" to users on the type of information it culls from its Web services and how this data is used. The regulators raised concerns with the privacy policy Google unveiled this past March and said the search giant failed to provide information on how long it retains the personal data it collects.  

The EU watchdogs had opened an investigation into Google's new privacy policy and tasked CNIL, France's data-protection authority, to lead the probe. CNIL said in a statement that several of the answers Google provided for the investigation "were incomplete or approximate."

Google consolidated the privacy policies among its various Web services this spring. This allowed the search giant to share a user's data across Gmail, YouTube and its other products and enabled it to better target advertising toward its users.

With the investigation completed, the regulators wrote in the letter that "the privacy policy suggests the absence of any limit concerning the scope of the collection and the potential uses of the personal data."

They argued that Google "empowers itself to collect vast amounts of personal data about Internet users," but "has not demonstrated that this collection was proportionate to the purposes for which they are processed."

"Combining personal data on such a large scale creates high risks to the privacy of users," the regulators said.

Peter Fleischer, Google's global privacy counsel, said in a statement that the search company is reviewing the EU regulator's report and is committed to protecting its users' online privacy.

“We have received the report and are reviewing it now. Our new privacy policy demonstrates our longstanding commitment to protecting our users’ information and creating great products," said Fleischer. "We are confident that our privacy notices respect European law.”

The EU letter lists a set of recommendations on how Google can improve its privacy practices. Among the recommendations, the data protection authorities said Google should make it easier for users to opt out of this sharing of data across the company's services and secure explicit consent from users before combining this data.

"As data-protection regulators, we expect that Google takes the necessary steps to improve information and clarify the combination of data, and more generally ensure compliance with data-protection laws and principles," the regulators said.

Isabelle Falque-Pierrotin, the chairwoman of CNIL, said Google could face fines from the French regulator or other EU authorities for not implementing these changes within the next "three to four months," Bloomberg reported.

Members of the Asia Pacific Privacy Authorities — which represents data-protection regulators from Australia, Canada and Mexico — sent a letter of support for the EU's privacy recommendations to Google.

---