Following a lengthy investigation by France’s National Commission on Computing and Liberty (CNIL), Google is set to face legal action over its privacy policy in at least six European countries. In a statement released earlier today, CNIL explained that Google had failed to change its policy as requested, resulting in member states being allowed to deal with the matter as they see fit. As a result, France, Italy, Germany, Spain, the Netherlands and the UK will now launch their own investigations to decide what kind of action to take.

In the UK, the Information Commissioner’s Office told The Register that an investigation into Google had already been launched but was still in its early stages. The goal of the investigation is to decide whether or not Google’s consolidation of privacy policies into just one was in contravention of the UK’s Data Protection Act.

“The ICO has launched an investigation into whether Google’s revised March 2012 privacy policy is compliant with the Data Protection Act,” a spokesperson said.

“The action follows an initial investigation by the French data protection authority CNIL, on behalf of the Article 29 group of which the ICO is a member. Several data protection authorities across Europe are now considering whether the policy is compliant with their own national legislation. As this is an ongoing investigation it would not be appropriate to comment further.”

 

Google Flouts European Law

The issue stems from Google’s decision last year to consolidate the privacy policies of services like Gmail, Google Search, Google+ and YouTube into a single policy, which came into effect March 1, 2012. At the time, the company said that the changes would allow it to improve its products and services, enhancing user’s experience whilst allowing for more targeted ads that are relevant and specific to individual users.

Unfortunately for Google, the Europeans didn’t buy any of this ‘enhanced’ experience BS, and instead turned around and told the company not to make any changes, stressing that to do so may be in breach of European data protection laws. Google simply claimed to be “surprised” by the claims, and went ahead and changed its policy anyway.

This led to the Article 29 Working Party, which is a group comprising data protection officials from each of the EU’s member states, tasking CNIL to investigate Google to determine if it had in fact broken any laws on data privacy. The outcome of this investigation came through last October, with CNIL finding that Google’s new policy “may not be in compliance” with EU data laws, adding that several “irregularities” had been found. Following this, CNIL gave Google four months to comply with a request to revert its privacy policy, a deadline that it missed in February.

It remains unclear what kind of sanction Google may ultimately face by the EU states, with heavy fines and an order to alter or revert its privacy policy the most likely outcomes. In any case, Google’s European lawyers are set to have a very busy summer, with the company still awaiting the outcome of a separate investigation into alleged search engine bias by Europe’s anti-trust commissioner.