Google defies EU over privacy policy

Google’s refusing to accede to a request to put its planned privacy changes on hold while the EU investigates their legality.

France’s data protection regulator, the Commission Nationale de l’Informatique et des Libertes (CNIL), says it’s been asked by the EU to carry out an inquiry into whether the policy complies with new European data protection laws.

The EC recently announced plans for a complete overhaul of its data protection rules, tightening up controls on the use of user data. Under the proposed rules, companies such as Google would have to ask users in advance for permission to store and sell their information.

“CNIL and the European authorities welcome the Google initiative to reduce and simplify its rules of confidentiality. However, this development should not come at the cost of making information less transparent and less complete,” says CNIL.

“The consolidation of Google’s confidentiality rules makes it impossible to know about the personal data collected, the purposes, recipients and relevant access rights for each service. Google’s new rules do not meet the requirements of European Directive on Data Protection (95/46/EC) regarding information on concerned individuals.”

CNIL has written to Google, ticking it off for not consulting the authorities before announcing the new privacy policy last month. It’s calling for Google to put the changes on hold until it’s had time for a full investigation.

The privacy policy changes are scheduled for tomorrow; CNIL says it won’t even have a full list of questions for Google for another week or two.

Google claims that it briefed ‘most’ members of the Article 29 Working Party in advance of the changes – although CNIL says they came as a surprise to many data protection authorities – and has written to its chairman Jacob Kohnstamm about the issue.

“Google are not in a position to pause the worldwide launch of our new privacy policy,” writes Google’s global privacy counsel Peter Fleischer in the letter.

“As I explained in my letter of 3 February 2012 to Mr Kohnstamm, we have notified over 350 million authenticated Google users and provided highly visible notifications on our homepage and in search results for our non-authenticated users. To pause now would cause a great deal of confusion for users.”

He adds that the company’s perfectly happy to have a chat about the policy, though; it remains to be seen whether that’ll be enough to satisfy the EU…