This article is also available in:
Deutsch: Google muss seine Datenschutzpraxis verbessern

On 16 October 2012, a letter signed by the 27 European Data Protection Authorities (DPAs) was sent to Google, asking for better privacy practices of the company, accusing Google of illegality and putting into question the viability of the company’s operations within the European legal environment.

Following Google’s decision to update its privacy policy starting with 1 March 2012 by combining about 60 different policies for its online services (search, Gmail, YouTube, Google+, and others ) into a single user privacy agreement, Article 29 Working Party mandated the French DPA (Commission Nationale de l’Informatique - CNIL) to lead an investigation into the new Google privacy policy. CNIL sent two questionnaires to Google but the company's answers were considered incomplete and approximate, especially on key issues such as the description of its personal data processing operations or the precise list of the product-specific privacy policies merged in the new policy. Based on CNIL findings, Data Protection authorities have drawn their common conclusions and made a series of recommendations.

One of the major point of criticism is that "....Google’s answers have not demonstrated that your company endorses the key data protection principles of purpose limitation, data quality, data minimization, proportionality and right to object. Indeed, the Privacy policy suggests the absence of any limit concerning the scope of the collection and the potential uses of the personal data." The EU DPAs ask Google to publicly commit to these principles. They also recommend that the company provides more clear information to its users on the data collected and purposes of its personal data processing operations, gives a better control over the combination of data across its numerous services and modifies its tools so as to avoid excessive data collection.

One example given in CNIL’s findings is related to credit card information: "Confidentiality rules do not make difference in treatment between a trivial content search and the number of credit card or telephone user. All these data can be used interchangeably for all the purposes mentioned in rules."

The DPAs recommend that Google reinforces the users' consent to the combination of data for the purposes of service improvements, development of new services, advertising and analytics, by letting users choose when their data are combined. Google should have a legal basis to perform data combination of these purposes and data collection must also remain proportionate to the purposes pursued. For the present, for some of these purposes, the processing is not based on consent, Google's legitimate interests, or on the performance of a contract. Moreover, Google refused to provide retention periods for the personal data it processes.

Google was given three to four months to comply with the recommendations or face sanctions.

Letter from 27 European DPAs to Google (16.10.2012)
http://www.cnil.fr/fileadmin/documents/en/20121016-letter_google-artic...

Appendix - Google Privacy Policy - Main Findings and Recommendations (16.10.2012)
http://www.cnil.fr/fileadmin/documents/en/GOOGLE_PRIVACY_POLICY-_RECOM...

Google's new privacy policy: incomplete information and uncontrolled combination of data across services (16.10.2012)
http://www.cnil.fr/english/news-and-events/news/article/googles-new-pr...

European Data Regulators Slam Google Over Privacy Policy: “Too Large” And Users Need More Control (But Not Illegal) (16.10.2012)
http://techcrunch.com/2012/10/16/eu-data-regulators-slam-google-over-p...

Europe to Google: respect our laws or face the consequences (16.10.2012)
http://www.privacysurgeon.org/blog/incision/europe-to-google-respect-o...