Google’s Privacy Policy

Google’s Privacy Policy

After months of investigations into Google’s new privacy policy the European Data Protection authorities, led by the French Data Protection Commissioner (CNIL), published their findings on 16 October 2012. They have raised concerns over the compliance of Google’s privacy policy with European Data Protection legislation.

The new privacy policy

On 1 March 2012, Google created a single privacy policy for all its services, uniting and collecting all data into a single data location. Google provides over 60 services which include the search engine, Gmail and YouTube. News of the change in policy was first announced on Google’s official blog, where they stated that there were over 70 different privacy policies covering their services. Google wanted to trim down the different policies and create a single universal policy to cover all their services. They claimed this would create better integration between their services which will provide a better experience for the user.

Google collects personal data every time you use one of their services. The internet company say that this information is used to create a better user experience; one that is relevant and tailored to the user. This personal data that Google gathers is clearly very useful for advertisers: the more personal data gathered, the more advertisers can accurately ‘tailor’ their service to their audience. For example, if I searched for washing machines using Google’s search engine and then later watch music videos on YouTube, advertisers can display adverts for washing machines while I am on YouTube as a reminder, or an incentive, to buy a particular washing machine. The adverts are being targeted and made relevant to me as a Google user. This mass gathering and storing of personal data has caused concern for the European Data Protection authorities.

This mass gathering and storing of personal data has caused concern for the European Data Protection authorities.

The investigation and its findings

Under Article 29 of the Data Protection Working Party and the Data Protection Directive 95/46/EC, the European Data Protection Authorities and the CNIL started their investigations into Google’s new privacy policy.

As part of the investigations, the CNIL sent Google two questionnaires which were returned and answered on 20 April 2012 and 21 June 2012. The CNIL felt some of the answers Google gave were ‘incomplete and approximate’ and admitted that there were still some ‘grey areas’ which needed further explanation. On the basis of their analysis and Google’s questionnaires, the CNIL published a report on their findings.

The findings by the European Data Protection Authorities, published on 16 October 2012, raised three primary concerns:

  1. Google does not provide, or provides insufficient, information on the purposes of collecting the data. Currently Google does not provide information to the user on what data is processed and the purpose of collecting such data.
  2. There is no limit on the scope of collection of data across different services. ‘Google does not collect the unambiguous consent of the user’ on which service they gather data from.
  3. Google has not indicated the retention period of data.

European Data Protection legislation has precise framework and procedures, most notably the Data Protection Directive 95/46/EC, which are intended to ensure the personal data collected is not abused. A letter and report signed by 27 European Data Protection authorities, including the UK, to Larry Page, Google’s Co-founder and current CEO, sets out the Commissioners concerns and recommendations to Google’s Privacy Policy. Essentially the Data Protection authorities want users to have more control over how their personal data is being used and stored.


CNIL has recommended that Google should:

  1. Provide a breakdown of its personal data ‘processing operations’ detailing ‘when, why and how such data are collected’
  2. Seek users consent before gathering data and implement ‘opt out’ procedures to allow users the choice to having their personal data collected.
  3. Define the retention period of such data.

What happens now?

Google have confirmed they have received, and are currently reviewing, the report. It may take some time before any action is taken, as the European Data Protection Commissioners have not set a deadline for a response.

This could be the start of a very long process of discussions, further investigations and analysis between the European Data Protection authorities and Google, which could potentially take weeks, if not months, to resolve.

For more information see:

Wilson Wong is a Commercial Paralegal at small London firm and part time evening LPC student. He is particularly interested in Technology, IP and Media law.

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Exclusive email insights, members-only careers events, insider tips and more.