UK joins EU demands for Google to rewrite privacy policy

The UK’s privacy watchdog has joined data protection authorities in France, Spain, Germany and Italy in demanding changes to Google’s privacy policy.

An investigation by the Information Commissioner’s Office (ICO) found that Google’s privacy policy raises serious questions about its compliance with the UK Data Protection Act.

“In particular, we believe that the updated policy does not provide sufficient information to enable UK users of Google’s services to understand how their data will be used across all of the company’s products,” the ICO said.

The ICO has given Google until 20 September to rewrite its privacy policy to more informative for individual service users.

Failure to do so, the ICO said, will leave Google “open to the possibility of formal enforcement action”.

In February, France’s privacy watchdog, CNIL, warned that Google could face could face a coordinated "repressive action" if it failed to comply with EU recommendations.

A set of 12 recommendations was adopted by 27 national regulators in October 2012 after a CNIL-led investigation into Google’s data collection practices.

The EU investigation began in March 2012, when Google started combining data from across its sites to better target advertising, which regulators see as "high-risk" to users’ privacy.

The new policy was implemented after the company combined 60 separate privacy policies into a single agreement, which raised privacy concerns on both sides of the Atlantic.

Google maintains that its privacy practices respect European laws.

"We have engaged fully with the authorities involved through this process, and we'll continue to do so going forward," it said in a statement.

However, in April CNIL said Google had yet to respond to the EU recommendations, and issued a three-month deadline, while Spain charged Google with infringing its data protection laws.

CNIL wants Google to specify what it is using personal data for, and how long it is held. It also wants Google to let users opt out of having their data centralised in a single location.

Google faces a French fine of up to €300,000.

The Spanish Data Protection Agency said that it had found evidence of five serious privacy law breaches and that Google cold face fines of up to €1.5m.

The alleged infringements are disproportionate use of private data, diverting private data for other users, storing private data for excessive or undetermined periods, failure to handle private data in a legitimate way, and obstructing users in the exercise of their rights.

While these fines are small in comparison with Google’s first quarter revenues of $14bn, charges and fines from other EU data protection authorities could follow from the UK, Germany, Italy and the Netherlands.

The ICO said its call for Google’s privacy policy to be rewritten comes after working with the other members of the Article 29 Working Party, made up of the other 27 data protection authorities from across Europe.

“We will continue to co-ordinate our efforts to ensure that people’s privacy rights are respected,” the ICO said.