Earlier this year, we reported on Google's announcement and
here for details). Despite initial concerns voiced by the
Article 29 Working Party, the appointment of the French data
protection authority - CNIL to investigate Google's
policy's compliance with the EU Data Protection Directive
(95/46/EC) (the "Directive"), and its request that Google
pause before introducing the policy in order to consult national
regulators, Google introduced the policy on 1 March 2012.
CNIL has announced a press conference to publish the findings of
its investigation later today. As a result, it is expected that the
Article 29 Working Party will criticise Google for not fully
considering the data protection principles set out in the Directive
and challenge it to comply with the principles and its own
In its preliminary analysis of the policy, CNIL raised concerns
that the general information provided in the policy did not satisfy
Articles 10 and 11 of the Directive which require a
purpose-specific wording to ensure transparency for account users.
It is expected that CNIL and the Article 29 Working Party will
build on this assertion, arguing that the policy is not adequately
clear about what categories of data Google processes, how the data
are processed and the purposes for which they are processed.
In reference to Google's combination and tracking of data
across its (amongst others) Google+, Gmail, YouTube and Google
Chrome platforms, CNIL is expected to criticise Google for not
obtaining adequately explicit consent from users. It may also go on
to question whether a policy of collecting and combining such a
vast amount of data is proportionate (as regulated by the
Directive) or is simply in order to enable Google to monetise its
search and advertising functions more effectively. In other words,
CNIL will say that the range of data is so broad that user consent
cannot legitimise it.
As a result of its findings, the Article 29 Working Party may
clearer, more precise information to its users and account holders
on how it uses data. The Article 29 Working Party may also
recommend that Google modify its various platforms to create new
layers of opt-outs/opt-ins, inform users more clearly about how it
combines data, their purpose and, potentially (and more radically),
limit its combination of data.
In the face of changing approaches to data protection on both sides
of the Atlantic, Google and other internet companies may also be
concerned that other regulators will take note of CNIL's
findings and consider this in their forthcoming drafts of data
protection regulation, for example the draft EU Data Protection
here for details) and the United States' proposed Consumer
Privacy Bill of Rights. As global internet companies such as Google
are increasingly able to analyse, store and transfer data across
borders, regulators across the world are looking at ways of
balancing the interests of user privacy with the realities of
system operability, functionality and commerciality.
The ruling will have repercussions for competition regulators too,
as they may rely on it to argue that Google abused its market power
in the browser segment of the market to strengthen its existence in
data flows, and implementing further changes to its platforms and
tools will not be attractive to Google. Google has always provided
its services free of charge on the basis that it must monetise data
in order to maintain the service and make a profit. Its new privacy
policy provided a means of doing this more effectively. However,
though they may acknowledge this fact, the Article 29 Working
Party, CNIL and consumer groups consider Google to be in a unique
position of authority and wish to foster a sense of transparency
and trust across the market and are making their position clear in
This article was written for Law-Now, CMS Cameron
McKenna's free online information service. To register for
Law-Now, please go to www.law-now.com/law-now/mondaq
Law-Now information is for general purposes and guidance
only. The information and opinions expressed in all Law-Now
articles are not necessarily comprehensive and do not purport to
give professional or legal advice. All Law-Now information relates
to circumstances prevailing at the date of its original publication
and may not have been updated to reflect subsequent
The original publication date for this article was
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
The date of the first binding vote by the Civil Liberties, Justice and Home Affairs Committee (LIBE) on the proposed General Data Protection Regulation (Regulation), which was initially planned for April-May 2013, has been postponed a second time.
Sam Allardyce recounted a humorous tale which re-enforced how important it is to have the right facts and figures at your disposal, and the importance of controls in establishing a trustworthy dataset.
The Court of Appeal has concurred with the High Court that the publication of private information relevant to an individual's character was justified where the public was entitled to consider his fitness for high public office.
When an organisation collects personal data about an individual, that individual has certain expectations about the purposes for which the data will be used.
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”