Google privacy policy 'does not meet' EU data protection laws

Google's new privacy policy does not meet the requirements of EU data protection laws, according to an EU working party.

Google's new privacy policy does not meet the requirements of EU data protection laws and should be delayed for further discussion, according to the EU working party tasked with looking at the search giant's new plans.

French privacy regulator CNIL yesterday wrote to Google CEO Larry Page on behalf of the EU working party to say it is "deeply concerned" about Google's intention to combine users' personal data across its service, and to express "strong doubts" about the legality of such a move.

"Our preliminary analysis shows that Google's new policy does not meet the requirements of the European Directive on Data Protection, especially regarding the information provided to data subjects," said the letter to Page, which was signed by CNIL president Isabelle Falque-Pierrotin.

CNIL said it welcomes Google's attempts to simplify its privacy policy, but pointedly highlights that "this should not be conducted at the expense of transparency and comprehensiveness."

"By merging the privacy policies of its services, Google makes it impossible to understand which purposes, personal data, recipients or access rights are relevant to the use of a specific service," said a statement from CNIL.

Falque-Pierrotin wrote that it is "impossible for average users" to understand how Google would use their personal data. Furthermore, "it is extremely difficult to know exactly which data is combined between which services for which purposes, even for trained privacy professionals," she wrote.

Google announced last month that it is combining over 70 privacy documents covering its different products into a single privacy policy covering all its services. Google users have been shown prominent warnings about the new policy and encouraged to read more details, a move welcomed by the CNIL.

But privacy campaigners had already expressed their concerns about the new policy. Google said the new policy will make using its products easier for customers.

Our new Privacy Policy makes clear that, if you're signed in, we may combine information you've provided from one service with information from other services," Alma Whitten, Google’s director of privacy, wrote in a blog post when the policy was announced. "In short, we'll treat you as a single user across all our products, which will mean a simpler, more intuitive Google experience."

CNIL further criticised Google for not fully consulting EU data protection authorities prior to the launch.

Read more on Privacy and data protection