Google launched a new privacy policy that took effect on March 1st, 2012. According to Google, the purpose of revising its privacy policy was to unify into one single privacy policy more than 60 different privacy policies across its wide array of products and services. 

The Article 29 Working Party, the European independent advisory body on data privacy, expressed concerns about the consequences of this new privacy policy on the citizens of the EU member states. It informed Google in a letter dated February 2nd that the French Data Protection Authority (“CNIL”) has taken on the task of reviewing and analyzing Google’s new privacy policy, on behalf of all European data protection authorities. It also requested that Google delay the implementation of the new policy until the analysis is completed, which Google refused.

After conducting its preliminary analysis, the CNIL informed Google in a letter dated February 27th 2012 that the CNIL decided to launch an investigation on behalf of all European data protection authorities. According to this letter, the CNIL expressed strong doubts about the compliance of Google’s privacy policy with the European Directive 95/46/EC on data protection (the “Directive”).

Firstly, the CNIL states that Google’s privacy policy does not comply with the obligations under Article 10 of the Directive. Specifically, according the CNIL, Google’s new policy is too general – the data subjects are not informed of the specific purpose of data collection across Google’s products and services or the recipients of the data collected. The CNIL posits that Google should have used a “multi-layered” approach, where basic, general information about its privacy practices is provided in a short notice, followed by more detailed information for each service in a longer notice.

In addition, the CNIL and all EU data protection authorities stated that they are “deeply concerned” about the possibility for Google to combine data across its products and services (such as, for example, using data collected through a data subject’s use of his/her Android phone in order to display targeted advertisements when he/she uses YouTube). The CNIL, referencing Articles 6 and 7 of the Directive, expressed “strong doubts” about the lawfulness and fairness of Google’s data processing.

The CNIL has indicated that it will continue to investigate Google’s privacy practices.