After two years of investigation and proceedings regarding Google’s privacy policy, European Data Protection Authorities (DPAs) are now reaching their final decisions against Google. The French DPA (“CNIL”) issued ,on January 3rd 2014, a decision ruling that Google’s privacy policy did not comply with the French Data Protection laws and imposed a fine of € 150,000 http://www.cnil.fr/english/news-and-events/news/article/the-cnils-sanctions-committee-issues-a-150-000-EUR-monetary-penalty-to-google-inc/. Google has brought an appeal against the CNIL’s decision.

This is the second decision by a European DPA fining Google for the lack of compliance of its privacy policy: on December 19 2013 the Spanish DPA (“AEPD”) ruled that Google had committed three serious violations of the Spanish Data Protection law and ordered Google to pay a fine of € 300,000 for each one of the three violations.

http://www.agpd.es/portalwebAGPD/revista_prensa/revista_prensa/2013/notas_prensa/common/diciembre/131219_PR_AEPD_PRI_POL_GOOGLE.pdf More decisions are to be expected.

A European-wide investigation against Google’s privacy policy

The decisions rendered by the French and Spanish DPAs are the result of a joint investigation by European DPAs, launched in early 2012 when Google announced that it was about to replace the individual privacy policies of each of its products and services by a single privacy policy. The Article 29 Working Party, an independent advisory body whose members are the DPAs of the28 European Member States, immediately expressed privacy concerns and decided to launch an investigation on behalf of all European DPAs. Following this investigation, the Article 29 Working Party rendered its findings in October 2012: it stated that Google’s privacy policy did not comply with the European Directive on Data Protection for several reasons: 1) it did not inform the users of the type of data collected and of its purposes; 2) it combined, without authorization, data collected by various services of Google and finally, 3) it did not specify the data retention periods. The Article 29 Working Party issued recommendations that Google refused to implement. This led to the decision, in April 2013, of six of the European DPA (Germany, France, Italy, Spain, the Netherlands, and the UK) to simultaneously launch legal actions against Google.

So far, Spain and France are the only two DPAs that have issued fines against Google. The Dutch DPA has issued a decision finding Google’s privacy policy in breach of the Dutch privacy law, but has not yet issued sanctions. The investigations are still on-going in the other Member States (Germany, the UK and Italy).

Does French Law apply to Google’s privacy policy?

This was the first issue that the CNIL had to decide upon. The territorial scope of French law derives from the rules set out by the EC Directive n°95/46. Hence, French law is applicable either because 1)  the data controller carries out his activity within an establishment in France, or 2) the data controller is not established in France nor in the EU, but uses “means of processing” of personal data located in France to collect data.

Google claimed that the French law did not apply because Google Inc. in California is solely responsible for data collection and processing, and that Google France is not involved in any activity related to the data processing performed by Google Inc.

The CNIL rejects this argument, arguing that Google France is involved in the sale of targeted advertisement, which value is based on the data collection of Internet users. Hence, Google France is involved in the activity of personal data processing, even though it does not perform the technical processing of personal data. The CNIL’s argument is similar to the argument developed by the Advocate General in the case currently opposing Google and the Spanish DPA before the European Court of Justice (“ECJ”) (http://curia.europa.eu/juris/document/document.jsf?text=&docid=138782&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=198456/). The ruling of the ECJ on this issue is eagerly awaited.

In addition, the CNIL ruled that Google Inc. placed cookies on the computers of French users, and that such cookies were “means of processing” of personal data located in France because they are used to collect data from the users’ computers. Therefore, even if Google Inc. were to be considered as the sole data controller, French law would nevertheless apply because of the location of the cookies in France.

Are all data collected by Google “personal data” within the meaning of French and EU Law?

One of the main issues is the difference put forward by Google between “authenticated users”, who have registered their ID to use services such as Gmail and “unauthenticated users” who use services that do not require identification such as Youtube! or “passive users” who visit a third-party website where Google has placed Analytics cookies for targeted advertising.

According to Google, it holds “personal data” only on “authenticated users” and not on “unauthenticated users” and “passive users”. The CNIL rejects the argument because the definition of personal data under French law includes information that indirectly identifies a person. The CNIL considers that, even if the name of the user is not collected, the collection of an IP address combined with the collection of precise and detailed information on the browsing history of the computer amounts to indirectly identifying a person, because it gives precise information of a person’s interests, daily life, choices of life etc.

Therefore, all data collected by Google is considered by CNIL as personal data.

Why Google’s privacy policy breaches French Data Protection Law?

The CNIL, following the findings of the Article 29 Working Party, found four breaches of French law on data protection.

First, Google’s privacy policy fails to properly inform the users of the collection of their personal data and its purposes. Google unified into a single document the privacy policies applicable to more than 60 services and products. With regards to the “purposes” of the data collection, Google’s policy provides for general purposes such as the proper performance of the services, without further explanation or details. This is considered as too vague to inform users, especially given the variety of services offered by Google and the various types of data collected.

Secondly, Google should have informed users and obtained their consent before placing advertising cookies on their terminal. Obtaining consent for cookies does not require opt-in consent from the user, but the user must be properly informed before the cookies are placed on the terminal, of their purposes and on how to refuse them. The CNIL found that, with regards to unauthenticated users, Google placed cookies prior to any information, in breach of French Data Protection law. In addition, the information provided to users is not sufficient. Only two services of Google (Search and YouTube!) have a banner with information on cookies. Moreover, little information is given regarding the purposes of the cookies: stating that cookies are meant “to ensure proper performance of the services” is not deemed to be sufficient information in order to obtain an “informed consent” from the user. With regards to “passive users” who visit  third-party websites where Google placed its “Analytics” cookies, the CNIL considers that, since Google uses the data collected for its own activity (by producing statistics and improving its service), it acts as a data controller and is responsible for obtaining consent.

Thirdly, Google has not defined the duration during which it retains the data collected and has not implemented any automatic processes for deleting data. For example, no information is available as to the duration during which the data is kept once an authenticated user has canceled its account.

Finally, the combination of data collected from one Google service with data collected from other Google services requires informed, explicit and specific consent from the user. The CNIL ruled that Google breached this obligation because it did not provide detailed information on the type of data combination it performs and did not seek explicit and specific consent from the user. Consent to the general privacy policy or the terms and conditions of use is not considered as sufficient.