(LONDON) The EU has escalated its existing investigation of Google's global privacy policy, a policy covering all of Google's services that was introduced by Google last year.  Up until April 3, the French data protection authority, CNIL, had effectively been tasked with engaging with Google in an investigation as to whether Google's global privacy policy complies with European data protection laws.  Dissatisfied with Google's response to date, five other data protection authorities from some of the largest EU countries (the United Kingdom, Germany, Spain, Italy and the Netherlands) are now joining France in a coordinated investigation. (The investigation has of course been covered by multiple news sources.  See, for example The Wall Street Journal article here for more information  — and some pithy reader comments.)

The immediate consequences for Google in terms of potential financial penalties are negligible for a company of its size.  Each of the national authorities can levy fines, but they are capped under current law.  For example, the maximum fine in the UK is only £500,000.  Things would be quite different under the proposed Data Protection Regulation, where EU-wide fines could be as high as two percent of worldwide turnover.  See our earlier articles on the draft Regulation here and here.

But pending the introduction of more meaningful fines, the current investigation of Google is about fundamental points of principle (user consent and the viability of a global policy) that could have a widespread effect on companies that do any business with European customers as well as companies with actual operations in Europe.

Google has put together a global policy that attempts to satisfy requirements around the world.  The EU data protection authorities say it isn't good enough for their residents.  Will Google be forced to adopt potentially more restrictive policies on a global basis in order to satisfy the EU and keep its desired approach of a single cross-service global policy?  Or will Google end up creating a special policy for Europe?  Or will the EU regulators be forced to back down – as might happen, if, for example, Google threatened to curtail EU residents access to certain services if Google's terms and conditions, including its privacy policies, aren't accepted in the EU?  (Google is not on the record as having made any such threat, but it's an interesting scenario to consider.)

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.