Google faces EU crackdown over privacy violations
The policy was announced last January (though it only came into effect in March), and allowed Google to mix personal data from all its subsidiaries, particularly Youtube, which had hitherto been cordoned off. The new internal user profiles this enabled the company to create are of great value to advertisers, but the company also trumpeted the improved experience it could offer users, saying at the time:
The EU didn't agree, and asked the company to hold off implementation until it had held an investigation on whether it complied with EU data protection law. The probe, which began in mid-March, finally reported back in October, and found that the new policy did indeed breach EU law. The French data protection commission, the CNIL, which led the investigation, had recommended a number of changes, such as easier opt-outs for advertising. But the company insists its policy already complies with EU law.
As a result, the CNIL is organising a co-ordinated response to Google, since, as the head of the commission told the Wall Street Journal on Monday, "we're better armed when we speak with one voice than when each country takes its own steps".
The EU hasn't played the situation brilliantly. The fact that its investigation only reported back in October, over six months after it began, is proof of severe regulatory overreach; and it would have been an unnecessary and unsupportable restraint on Google to have asked it to hold off on what was a major business decision for that entire period.
Nonetheless, Google appears to be continuing a trend amongst Silicon Valley — exemplified by Facebook in its squabble with the Irish data protection commission over facial recognition data — of assuming that the regulations of the countries it operates in don't apply to it. The EU has considerably stricter data protection laws than the US, and while some of them, such as the ill-fated cookie directive, are worthy of being ignored, others provide genuine protection for the consumer.
Google maintains that "we have engaged fully with the CNIL throughout this process and will continue to do so," but the EU's privacy group will vote on whether to take action against the company at the end of February.