Enhance Contrast

CBP issues sanction to Google for infringements privacy policy

The Dutch Data Protection Authority (Dutch DPA) has imposed an incremental penalty payment on Google. This sanction may amount to 15 million euros. The reason for the sanction is that Google is acting in breach of several provisions of the Dutch data protection act with its new privacy policy, introduced in 2012.

Infringements

The results of the investigation by the Dutch DPA, as published earlier, show that Google combines personal data of internet users, amongst others to display personalised ads. This combining not only involves people that are logged in to a Google account, but also people that use the search engine, or people that visit a (third party) website that places or reads cookies from Google.

Data about for example search queries, location data, video's watched and e-mails can be combined with each other, while those services serve very different purposes. This combining occurs without Google adequately informing the users in advance and without the company asking for consent. This is in breach of the law.

"Google catches us in an invisible web of our personal data without telling us and without asking us for our consent. This has been ongoing since 2012 and we hope our patience will no longer be tested," says Jacob Kohnstamm, chairman of the Dutch DPA.

Incremental penalty payment

The Dutch DPA demands that Google:

  • Will ask for the unambiguous consent of users for the combining of personal data from the different Google services. This can be achieved via a separate consent screen. Unambiguous consent can’t be obtained through information about this processing in the general (privacy) terms and conditions.
  • Further clarifies the information in its privacy policy in order to provide clear and consistent information to people on which personal data are used by the different services of Google.
  • Provides clear information about the fact the YouTube is part of Google. With regard to this last point, Google seems to have already taken measures in the Netherlands.

Google has been given until the end of February 2015 to take the measures described above to end the breaches of the Dutch data protection act. After that, the Dutch DPA will verify whether Google has met all demands.

European data protection authorities

In the beginning of 2012, Google announced the introduction on 1 March 2012 of a global new privacy policy, applicable to the users of all services of Google. Following that, the French data protection authority launched an investigation, on behalf of all European data protection authorities. This resulted in the publication of investigation results in October 2012.

After this investigation, 6 data protection authorities, in France, Germany, the UK, Italy, Spain and the Netherlands decided to start national investigations, based on their own national data protection laws.

Google has recently sent a letter to the 6 data protection authorities, in which the company announces a large number of measures to comply with European privacy laws. The Dutch DPA has not yet established whether the proposed measures will end all the violations found by the Dutch DPA.

Related news