In a two-day closed-door meeting this week in Brussels of the European Union’s 27 national data protection officials, the group mapped a preliminary strategy, including the possibility of testing Google’s compliance with national privacy laws in countries like Ireland, Belgium and Finland, where the company operates data centers. That was the word from a person close to the discussions, who was not authorized to speak publicly.
The group may issue a public statement next week on the matter.
New guidelines that Google adopted this year for collecting information on individuals have come under sharp criticism in Europe.
In mid-October the French regulator, CNIL, which had been asked by the group to study the matter, released a report criticizing Google’s privacy guidelines as allowing an “uncontrolled combination of data.”
CNIL said the method of combining information from Google’s search engine, YouTube, Google+ social network and other services “suggests the absence of any limit concerning the scope of collection and the potential uses of the personal data.”
When CNIL released its report, Google said it would study the analysis. But the company also asserted that its method of handling consumer data was legal under European Union rules. So far the company, which also ran afoul of European regulators in 2010 for its collection of personal data from home Wi-Fi routers, has not responded formally to the CNIL report.
On Friday, a Google spokesman in Brussels, Alistair Verney, referred to the company’s previous statement in October, which said Google was reviewing the French recommendations.
When CNIL presented its analysis in October, the chairwoman of the French regulator, Isabelle Falque-Pierrotin, gave the search engine “three to four months” — roughly until mid-February — to respond to its recommendations.
Among other things, CNIL asked Google to heed European restrictions on mixing certain data and to heed Europe’s rules for obtaining prior consent from consumers before collecting personal data.
But CNIL argued in its review that the opt-in disclaimer, which is legal under United States law, was too broad. It also said consumers should be given clearer information and be allowed to individually authorize or reject the collection of certain kinds of data.
Google announced its new policy, which applies globally and was presented as a way to simplify the user experience, this year.
The company made nearly all of its $37.9 billion in sales revenue in 2011 from Internet advertising, which relies in part on the collection and analysis of user data to produce ads aimed at individual consumers.
While European lawmakers coordinate European Union data protection from Brussels, privacy law is enforced on the national level.
That decentralization is the reason why regulators are considering taking action within a few nations — most likely in countries where Google has physical operations and where national courts could be asked to enforce penalties.
But whether any actions, if they do eventually take place, result in anything other minor sanctions remains to be seen. In general, European national regulators are limited to only a few hundred thousand euros in the privacy-violation fines they can assess against companies or individuals.
A proposed update to European Union data protection law would give regulators the ability to assess much larger fines of as much as 2 percent of a company’s annual sales — which based on Google’s financial performance would equate to $760 million, based on 2011 revenue of $37.9 billion.
But it is unclear how soon, if ever, those higher penalties will be adopted.