Google is facing enforcement action and possibly fines in six EU member states for violating EU privacy law. The six countries are: France, Germany, Italy, the Netherlands, Spain and the U.K.

What happened?

Last year, Google issued its 2012 global privacy policy, which has been investigated by the French data protection authority (CNIL) on behalf of the Article 29 Group (the EU’s advisory body on data protection). In late February 2012, the CNIL stated that Google’s policy does not respect the EU Data Protection Directive and asked them not to implement the policy. However, Google decided to carry on and implement the policy in any case. After the CNIL’s investigation, the Working Group found that Google was violating a number of rules set out in the EU Data Protection Directive and ePrivacy Directive. The violated rules include: that the collection of personal data only be for limited purposes; users be fully informed about the intended uses of their data and users be given the right to opt out. As a consequence, EU regulators asked Google to change its policy and threatened regulatory action if Google failed to modify it. At present the Data Protection Authorities of six member states, stated above, will start “repressive action”.

What could happen now?

Under current EU law, member states can start legal proceedings via their national DPA’s (Data Protection Authority), based on their national law that should lead to the imposition of fines and force Google to modify its policy.  The Working Party can only give non-legally binding advice to the Commission. At the end of February 2013, DPA’s threatened to take enforcement action against Google by the summer. If Google maintains its privacy policy without changing fundamental provisions, there is a big chance that member states will take enforcement action. The European data protection regulators have sent so many warnings to Google on this precise subject that there is no way back now. If the DPA’s don’t act quickly, it could encourage other big companies to do similar actions and violate future privacy rules which go against EU legislature.

National proceedings and sanction authorities in the member states differ from each other. For example in Belgium, the DPA has limited power to serve fines; while France and Germany have extensive authority but use it in very different ways depending on the case in question. The U.K.’s Information Commissioner’s Office can impose a fine up to £500,000 ($758,000) against a company which breaches U.K. data and privacy laws. So, each DPA will have to impose their own fines separately and maximum fines vary by region.

The types and levels of sanctions of the different DPAs which depend on national laws can include: relatively informal guidance; recommendations; formal warnings; administrative sanctions; investigations; blocking of data processing or transfers and finally, criminal sanctions.

It looks like there is a big chance that if Google maintains its unwillingness to modify its policy, the Working Group will coordinate repressive action via the member states against it. This could lead to other member states preventing other companies, particularly Google, from similar actions in the future by imposing high fines quickly as due precedence has been achieved.

This is an ongoing case and I shall be revisiting it in the near future…