BERLIN — European regulators on Tuesday threatened Google with fines or legal action unless it makes it clearer to its customers what personal data is being collected from them and how it is being used.
In a letter to Google, the regulators stopped short of describing the company’s 10-month-old data collection policy as illegal. But it noted that Google did not appear to adhere to Europe’s approach to data collection, which requires explicit prior consent by individuals and that the data collected be kept at a minimum.
The regulators couched their requests as “practical recommendations." But when asked what regulators would do if Google did not accede and make changes, Jacob Kohnstamm, head of the Dutch data protection authority, said national regulators probably would take legal action to compel changes.
“After all, enforcement is the name of the game," Kohnstamm said.
The request was made by the French regulator, CNIL, the National Commission for Computing and Civil Liberties, at a news conference in Paris. The French agency was asked this year to analyze the legality of Google’s new data policies by the European Commission’s top privacy panel, called the Article 29 Working Group.
Isabelle Falque-Pierrotin, the chairwoman of CNIL, said her agency was giving Google “three to four months" to respond to its concerns.
“If Google does not implement these recommendations, we will pass to a different phase, a phase of sanctions," Falque-Pierrotin said.
Enforcement of privacy law in Europe remains a matter for national regulators. In France, CNIL has the legal ability to fine companies up to 300,000 euros for privacy breaches. But whether CNIL will levy a fine, and whether other EU countries follow suit, remains unclear.
If adopted, the recommendations could have consequences on some of Google’s main businesses, which depend on consumer profiling for the targeting of advertising.
“Their approach is that we can take anything we learn from you from our services to build a profile of a user to serve targeted ads," Gould said in an interview. “My view is that is a completely legitimate model if you give the consumer the opportunity to opt out."
“The Europeans want Google to ask the user to give their consent explicitly and on a much more specific level, to permit the collection of data for targeted ads."
“If Google did that responsibly, I don’t think it would kill their business," Gould said. “But that is the 64,000 Terabyte question."
In the letter sent to Google, the European data regulators said Google’s new policy allowed the company to “combine almost any data from any services for any purpose."
“Google did not set any limits to the combination of data nor provide clear and comprehensive tools allowing its users to control it," the letter said.
The regulators also noted that Google failed to tell the French investigators how long it kept certain kinds of data, despite being asked to.
The group asked Google to make several specific changes to give consumers more awareness and control over their data, including an interactive online presentation of how the data is used.
The regulators also asked Google to better explain the purposes for collecting data, and how data combined from its different services — which include YouTube, a search engine and the Google Plus social network — might be used.
It also called on the company to give people greater ability to opt out if they did not want their information used for a specific purpose.