WebProNews

Tag: cnil

  • France Fines Apple $8.5M for Collecting iPhone User Data Without Consent

    France Fines Apple $8.5M for Collecting iPhone User Data Without Consent

    France’s CNIL has fined Apple $8.5 million for collecting iPhone user data without obtaining prior consent.

    Apple has tried to position itself as a privacy-first company, often highlighting the difference between it and Google or Meta. A major part of that marketing is making the case that Apple doesn’t want, need, or care about user data. Unfortunately, the reality isn’t quite matching up to the hype.

    The CNIL has fined Apple for collecting data from iPhone users that it then used for targeted ads, all without obtaining prior consent from the users. According to the regulatory agency, the Cupertino company did not get “the consent of French iPhone users (iOS version 14.6) before depositing and/or writing identifiers used for advertising purposes on their terminals.”

    What’s more, the CNIL says Apple make it unnecessarily difficult for individuals to deactivate the data collection, especially since the option was not available during initial setup.

    The fine is unusual for Apple, given the company’s well-cultivated reputation, but it does illustrate a growing disparity between Apple’s image and reality. Apple has previously been accused of being the primary beneficiary of its privacy crackdown, while other companies have been significantly harmed.

    Similarly, Apple has been accused of turning a blind eye to companies that have used loopholes to bypass the iOS App Tracking Transparency feature, continuing to track users against their wishes.

    If Apple wants to continue to maintain its reputation as a privacy-first company, it clearly has work to do in order to live up to its own marketing hype.

  • France Fines Microsoft $64 Million Over Bing Cookies

    France Fines Microsoft $64 Million Over Bing Cookies

    France has fined Microsoft $64 million (€60 million) over ambiguity regarding how cookies are handled by its Bing search engine.

    Bing is the second-largest search engine behind Google, one that many use specifically to avoid giving Google any more of their data. Despite this, Bing has run afoul of EU data privacy laws by depositing cookies on users’ computers without consent.

    The CNIL (Commission Nationale de l’Informatique et des Libertés) outlined the nature of the allegations:

    When users visited the search engine “bing.com”, a cookie with several purposes, including the fight against advertising fraud, was automatically deposited on their terminal without any action on their part.

    Furthermore, when they kept browsing the search engine, a cookie with an advertising purpose was placed on their terminal, again without their consent being collected.

    However, the law requires that this type of cookies be deposited only after the users have expressed their consent.

    The CNIL also says Bing did not make it easy to reject cookies:

    While the search engine offered a button to accept cookies immediately, it did not offer an equivalent solution (button to refuse or other) to allow the Internet user to refuse them as easily. Two clicks were needed to refuse all cookies, while only one was needed to accept them.

    If Microsoft does not comply with the CNIL’s ruling by the deadline, the company will be fined “60,000 euros per day overdue.”

  • France Warns Companies Over Google Analytics Use

    France Warns Companies Over Google Analytics Use

    Companies in France are being warned that default use of Google Analytics is illegal over concerns of data transfer between the EU and US.

    France’s National Commission for Informatics and Liberties (CNIL) ordered a website to stop using Google Analytics in February over data privacy concerns. The CNIL has now issued updated guidance that deems the default use of Google Analytics illegal.

    Unlike the US, the EU has comprehensive privacy legislation in the form of the GDPR. A 2020 EU court ruling established that US cloud providers do not meet GDPR requirements. In particular, there is concern over US cloud providers being forced to work with intelligence agencies and hand over customer data to them.

    By default, Google Analytics shares customer data, transferring it from the EU to the US. This gives Google access to the data, and is therefore in breach of the GDPR. The CNIL has already sent out notices to some organizations, but is warning all to make changes as soon as possible. Those changes can include modifying how Google Analytics works, so it does not export data to the US, or stop its use altogether.

    Below is a statement from the CNIL website [translated]:

    Organizations given formal notice have a period of one month to comply and justify this compliance to the CNIL. This one-month period may be renewed, at the request of the organizations concerned.

    “All data controllers using Google Analytics in a similar way to these organizations must now consider this use as illegal under the GDPR.”

  • France the Latest Country to Crack Down on Google Analytics

    France the Latest Country to Crack Down on Google Analytics

    France is the latest country to crack down on Google Analytics, over concerns it violates the GDPR the EU’s privacy legislation.

    In mid-January, the Austrian Data Protection Authority ruled that Google Analytics was illegal due to conflicts with the GDPR. Essentially, the GDPR prohibits countries from exporting EU citizen data to the US. Much of the concern stems from the fact that US intelligence agencies can force companies to give them access to such data, without the protections EU citizens are normally afforded.

    France has now joined Austria, according to Le Monde, via AppleInsider. The National Commission for Informatics and Liberties (CNIL) has ordered a company to stop using Google Analytics.

    “The CNIL notes that Internet users’ data [collected by Google Analytics] are transferred to the United States in violation of…GDPR,” reads the statement Le Monde gained access to. “It therefore requires the site manager to bring these processing into compliance with the GDPR, if necessary by ceasing to use the Google Analytics feature (under current conditions) or by using a tool that does not result in a transfer outside the EU.”

    The CNIL has given the site manager one month to stop using Google’s platform. This latest development does not bode well for Google. When Austria made its ruling, experts believed other countries would soon follow suit. Austria and France are likely just the first elements of what may become a wave of losses for the Google Analytics platform.

    National Commission for Informatics and Liberties (CNIL) has issued a formal statement regarding the unnamed company. “The site manager has one month to comply,” says the statement (in translation), as seen by Le Monde.

    “The CNIL notes that Internet users’ data [collected by Google Analytics] are transferred to the United States in violation of…GDPR,” continues the statement. “It therefore requires the site manager to bring these processing into compliance with the GDPR, if necessary by ceasing to use the Google Analytics feature (under current conditions) or by using a tool that does not result in a transfer outside the EU.”

  • Google ‘Right To Be Forgotten’ Appeal Shut Down

    Google ‘Right To Be Forgotten’ Appeal Shut Down

    In June, French regulators ordered Google to extend its “Right to be Forgotten” search engine delistings to its sites around the world rather than only in Europe. From their perspective, Google leaving such listings available in other versions of its search engine (such as the American Google.com) lets people easily get around the delistings in localized, European versions of Google. They’re not wrong about that.

    On the other side of the coin, however, Google argues that by complying with this, it would effectively be enabling one regulator to to have control over what happens around the entire world.

    Google appealed in July, but news is out now that its appeal has been blocked, and Google now finds itself at the stage where it has no more course for appeal before facing impending fines. CNIL sasy the appeal has been rejected for the following reasons:

    Geographical extensions are only paths giving access to the processing operation. Once delisting is accepted by the search engine, it must be implemented on all extensions, in accordance with the judgment of the ECJ.

    If this right was limited to some extensions, it could be easily circumvented: in order to find the delisted result, it would be sufficient to search on another extension (e.g. searching in France using google.com) , namely to use another form of access to the processing. This would equate stripping away the efficiency of this right, and applying variable rights to individuals depending on the internet user who queries the search engine and not on the data subject.

    In any case, the right to delisting never leads to deletion of the information on the internet; it merely prevents some results to be displayed following a search made on the sole basis of a person’s name. Thus, the information remains directly accessible on the source website or through a search using other terms. For instance, it is impossible to delist an event.

    In addition, this right is not absolute: it has to be reconciled with the public’s right to information, in particular when the data subject is a public person, under the double supervision of the CNIL and of the court.
    Finally, contrary to what Google has stated, this decision does not show any willingness on the part of the CNIL to apply French law extraterritorially. It simply requests full observance of European legislation by non European players offering their services in Europe.

    You can read CNIL’s whole announcement about the rejection here.

    The Guardian shares quotes from both CNIL (the French regulator) and Google:

    CNIL said in a statement: “Contrary to what Google has stated, this decision does not show any willingness on the part of the CNIL to apply French law extraterritorially. It simply requests full observance of European legislation by non European players offering their services in Europe.”

    A Google spokesman said: “We’ve worked hard to implement the ‘right to be forgotten’ ruling thoughtfully and comprehensively in Europe, and we’ll continue to do so. But as a matter of principle, we respectfully disagree with the idea that one national data protection authority can assert global authority to control the content that people can access around the world.”

    According to the report, Google faces a fine around €300,000 if it doesn’t comply, but that could increase to between 2% and 5% of global operating costs. The company will reportedly then be able to appeal the fine with the he Conseil d’Etat, which serves as the supreme court in France.

    Image via Google

  • Google Fined Over Privacy In France

    Google has reportedly been fined 150,000 euros ($203,500) by CNIL, France’s data protection watchdog for what it deems to be privacy violations. This is apparently the most they can fine a company, though it can be doubled in the case of a repeated offense.

    Google and CNIL have been going back and forth since Google revealed its big privacy policy changes back in 2012. The changes made it so that Google can easily share data from one of its products to the next without sharing any additional data with outside parties.

    The policy hasn’t been much of an issue here in the U.S., but France and other European countries have been very vocal in their opposition to it since it was announced.

    Bloomberg News shares a statement from Google:

    “We’ve engaged fully with the CNIL throughout this process to explain our privacy policy and how it allows us to create simpler, more effective services,” Google said in an e-mailed statement. “We’ll be reading their report closely to determine next steps.”

    The fine is hardly a huge blow to the tech giant. A $22.5 million fine the U.S. Federal Trade Commission handed to Google in 2012 was pretty much considered a mere slap on the wrist by man, considering the revenue Google generates. This fine is basically pocket change for the company.

  • Google May Have To Pay Fines In Europe If It Doesn’t Alter Its Privacy Policy

    Early last year, Google implemented a new privacy policy, which involved consolidating the policies of many of its various products into one main one to span its various offerings, effectively making Google itself a more unified experience.

    The policy change, the company has maintained, does not include any changes to Google’s data sharing policies with regard to third-parties, but only makes the company itself able to use the data it already had access to across its own products.

    This means Google can make better recommendations and deliver more relevant advertising and information to its users, who often use more than one Google product.

    The policy has been in effect for over a year, but France and other European countries have been criticizing the changes and calling for Google to alter the way it handles user privacy ever since. Now, Google is facing fines as a result.

    Bloomberg reports that France has given Google three months to change its policy to avoid fines, andthat other European countries will “follow suit”. Francois de Beaupuy & Stephanie Bodoni write:

    The U.S. search engine giant is breaching French laws because it “prevents individuals from knowing how their personal data may be used and from controlling such use,” France’s National Commission for Computing and Civil Liberties, the country’s data protection watchdog known as CNIL, said today in a statement in Paris. It ordered Google to comply with the French Data Protection Act.

    “France, Spain, the U.K. at the start of next week and Germany at the end of next week will all take a formal and official decision to start repressive proceedings against Google, and a second salvo will come from Italy and the Netherlands by the end of July,” Isabelle Falque-Pierrotin, Chairwoman of the French authority, said.

    CNIL’s statement can be found here (in French).

  • Europe Still Worrying About Google Privacy Policy

    France, the United Kingdom, Germany, Italy, Spain and the Netherlands have launched investigations into Google’s privacy practices after the company elected not to make changes following requests from these countries. Google faces possible fines and other action, depending on how these governments view Google’s policies and how they comply with the countries’ laws.

    French privacy watchdog CNIL has been very vocal about Google’s policies since they went into effect last year. If you’ll recall, Google essentially consolidated the privacy policies of its various products into one central policy, which better allows it to share data from one of its products to the next, effectively turning Google into one main product, as opposed to a bunch of separate ones. Google’s policy does this without changing anything about how it shares data with third parties.

    CNIL says in a statement:

    From March to October 2012, the Article 29 Working Party investigated into Google’s privacy policy with the aim of checking whether it met the requirements of the European Data Protection Directive (95/46/CE). In view of the findings of this analysis which was published on 26 October 2012, the EU Data protection authorities asked Google to comply with their recommendations within 4 months.

    After this period has expired, Google has not implemented any significant compliance measures.

    On 19 March 2013, representatives of Google Inc. were invited at their request to meet with the taskforce led by the CNIL and composed of data protection authorities of France, Germany, Italy, the Netherlands, Spain, and the United-Kingdom. Following this meeting, no change has been seen.

    The article 29 working party’s analysis is finalized. It is now up to each national data protection authority to carry out further investigations according to the provisions of its national law transposing European legislation.

    CNIL goes on to say that all the authorities composing the task force have launched actions.

    Meanwhile, Alma Whitten, Google’s first privacy director, is stepping down after three years in this position.

  • CNIL: Google Will Be Called Upon In ‘Coming Weeks’ For Privacy Action

    Earlier this month, French privacy watchdog CNIL was pressing Google on privacy changes again, putting out a statement saying it was determined to act and pursue investigations.

    At the time, Google shared the following statement (via TechCrunch):

    “Our privacy policy respects European law and allows us to create simpler, more effective services. We have engaged fully with the CNIL throughout this process, and we’ll continue to do so going forward.”

    Now, The Telegraph is reporting that CNIL said Google will be called to appear in “the coming weeks” and could face “repressive action” if failing to give “precise and effective” responses to its privacy recommendations.

    This is all related to the big privacy policy consolidation that Google implemented last year, which makes it possible for the company to use data from one of its services to improve the experience of its other services. I’m sure you recall the story.

    In October, CNIL announced recommendations for clearer information for people regarding the policy, and for Google to give users more control over the combination of data from its various services.

    Friday will mark one year since the new policy went into pace.

  • CNIL Still Speaking Out Against Google Privacy Policy

    French privacy watchdog CNIL is press Google on privacy changes again, several months after it called on the company to give users more control.

    As you may know, Google consolidated a slew of its various privacy policies last year into one core policy, which enables it to share data from one of its products to the next.

    TechCrucnh points to a new statement on the CNIL site, which is in French. Here’s the roughly translated (via Google Translate) version:

    After several months of investigation by the CNIL, the authorities of European data protection issued on 16 October 2012, their joint conclusions on the new rules Google’s privacy. They recommended a clearer information and better control people by users of the combination of data between the various services offered by Google. Finally, Google said they wanted the retention periods of data. At the expiration of four months allowed Google to come into compliance and commit to the implementation of these recommendations, no response has been provided by the company.

    On 18 February, the European authorities find that Google does not give a precise answer and operational recommendations. Under these circumstances, they are determined to act and pursue their investigations. They propose the establishment of a working group, led by the CNIL, to coordinate their enforcement action, which should take place before the summer.

    The action plan envisaged by the authorities at a meeting held in Paris in late January, will be submitted for validation G29 – the group of European CNIL – on the occasion of the Plenary on 26 February.

    TechCrunch shares the following statement from Google:

    “Our privacy policy respects European law and allows us to create simpler, more effective services. We have engaged fully with the CNIL throughout this process, and we’ll continue to do so going forward.”

    Even while Google continues to fight backlash over its policy, which has been in effect for nearly a year, the company continues to work on getting more up close and personal with users, and may even be working on ways to make your actual life searchable.

    Meanwhile, Microsoft is still trying to “educate” people about Google’s privacy practices that have been around for nearly a decade, when it comes to Gmail.

  • Europe Isn’t Satisfied With Google’s Privacy Policy Are You?

    As expected, the Commission Nationale de l’Informatique (CNIL), France’s data protection authority announced today that it, along with numerous other European data protection agencies, finds Google’s privacy policy changes (made earlier this year) unsatisfactory. The authorities say that Google does not provide enough info to users on its processing of personal data, does not allow users to control the combination of data among its “many services,” and does not specify retention periods. Google believes it complies with EU law. The EU disagrees.

    Are you satisfied with Google’s privacy policy? Does it go far enough? What would you change about it? Let us know in the comments.

    The CNIL’s announcement begins (as translated by Google Translate):

    After several months of investigation by the CNIL on new Google privacy policy came into force on 1 March, the authorities of European data protection publish their joint conclusions. They recommend clearer information to people and ask Google to give users more control over the combination of data from the many services it offers. Finally, they want Google changes the tools used to prevent excessive collection of data.

    European authorities have asked Google to provide clearer and more comprehensive info about data collection and the purpose for which all data is collected. These authorities want Google to present three levels of details that they say will “ensure information meets the requirements of the directive without degrading the user experience.” They go so far as to suggest interactive presentations.

    One of the biggest concerns expressed in today’s announcement is that Google is not giving users enough control of the combination of data among its services. The authorities call upon Google to strengthen the consent of people for combined data by allowing users to choose when data are combined (such as with dedicated buttons on pages of services). They specifically cite the “Search Plus Your World” button as an example of what to do.

    They also suggest Google provide better user control by centralizing and simplifying the opt-out process, allowing users to choose which services they want Google to be able to combine data from with other services. In addition, they want Google to distinguish tools used for security and those used for advertising.

    The announcement concludes by indicating that Google has refused to engage on data retention periods for personal data, noting that a letter was sent to Google about this, signed by 27 authorities of European data protection.

    Google hasn’t said much today so far in response to all of this, though they’ve certainly responded to concerns in the past. TechCrunch did manage to squeeze a statement out of Google Global Privacy Counsel Peter Fleischer, who says, “We have received the report and are reviewing it now. Our new privacy policy demonstrates our long-standing commitment to protecting our users’ information and creating great products. We are confident that our privacy notices respect European law.”

    It seems that Google is content that there is nothing in today’s announcement indicating that Google is violating any laws, which could simply mean that Google makes no changes to its privacy policy. That remains to be seen. Clearly, the authorities disagree, so this could lead to a legal battle.

    You can see an 18-page response Google sent to the CNIL back in April here. In that letter, Google went through examples of its privacy notices to provide a “better understanding’ of the breadth and scale of its new privacy architecture. Here’s a sample from that letter, somewhat explaining Google’s position:

    Users are accustomed to their products working together, and expect this consistent experience across their Google Account. The use of a primary privacy policy that covers many products and enables the sharing of data between them is an industry standard approach adopted by companies such as Microsoft, Facebook, Yahoo! and Apple.

    Giving users easy access to their data across Google products allows them to do useful things such as immediately add an appointment to Calendar when a message in Gmail looks like it’s about a meeting; read a Google Docs memo right in Gmail; use Google+’s sharing feature, Circles, to send driving directions to family and friends without leaving Google Maps; and use a Gmail address book to auto-complete contact’s email addresses when inviting them to work on a Google Docs memo or sending them a Calendar invitation to a meeting.

    Our updated Privacy Policy reflects our efforts to create one beautifully simple, intuitive user experience across Google. The main change is for users with Google Accounts. The updated Privacy Policy makes clear that, if a user is signed in, Google may combine information a user provided from one service with information from other services. In short, we can treat the user as a single user across all of our products.

    Essentially, Google wants to be treated as if its various services are simply features of one central product. That’s what the privacy policy enables it to do. Would you be concerned if Facebook was using data from your Facebook searching habits to better serve you Facebook ads from your news feed? Would you be concerned if something you did using Apple’s Siri led to you getting some kind of personalized message on iOS?

    This is the kind of scenario Google is thinking about from the standpoint of its own products. Many of its competitors already have products that compete with various Google services, but for the competitors, in many cases, they are simply features, rather than separate services. For example, Facebook Photos vs. Google’s Picasa Web Albums. Apple’s Maps app vs. Google Maps.

    The difference is that Google has started from a somewhat different place than competitors. It has acquired and launched services that were not necessarily integrated from the beginning. They were standalone services with different destinations. The Facebook Photos vs. Picasa Web Albums is a prime example of the difference. Facebook Photos are just part of Facebook, whereas Picasa Web Albums have historically been a completely separate product from other Google products.

    Still, Google owns all of these products, and it makes sense both from a business standpoint, and from the standpoint of a user who uses numerous Google products under a central Google login.

    Should Google be treated differently because of the product strategy it has followed over the years. There is so much talk about whether Google is anticompetitive or not. Wouldn’t preventing Google from being able to use its products together in ways that make business sense and improve the user experience only hurt Google’s ability to compete?

    You can find Google’s privacy policy here.

    Should Google have to make changes to its privacy policy? Let us know what you think.

  • EU Will Tell Google To “Unravel” Its Privacy Policy On Tuesday [Report]

    According to a report from the Guardian out today, Google will be told on Tuesday to “unravel” the changes it made to its European privacy policy earlier this year.

    As you may know, the company launched a major privacy policy change globally earlier this year. It essentially consolidated a number of policies into one major policy to encompass most of Google’s products. This way, people using various Google products would be under the terms of one major policy, effectively turning these different products into features of a central Google product. Because of this, Google is able to use user data from one service to the next, and personalize the user experience based on that.

    According to the Guardian, the CNIL, France’s data protection agency will hold a press conference on Tuesday, to “announce the results of its deliberations together with the data protection chiefs of the other European Union countries.”

    Last week, news came out (also from The Guardian) that Google woud come under fire from European data protection commissioners, and it appears that dat is about to come.

    It will be interesting to see what exactly comes of this, and what effect it might have on Google’s policy throughout the world.

    Google maintains that its policy enables it to build a “better, more intuitive user experience across Google for signed in users.” It’s also important to note that Google’s actual privacy controls did not change.

  • French Privacy Authority CNIL Wants Google’s Street View Data

    Google has reportedly been asked to provide CNIL, a privacy watchdog in France, with data it collected from Street View, which it has not deleted.

    Last week, reports emerged that the company acknowledged that it had not kept a promise to delete all personal data (like emails) it collected from Street View cars a couple years ago. Reuters reported, “Google said the data came to light when it searched by hand its Street View disk inventory.”

    The company reportedly apologized for the error, but now CNIL wants a look at what Google did not delete.

    A statement from CNIL posted today says (translated via Google Translate):

    During inspections carried out in 2009 and 2010, the CNIL had found that Google was collecting from its vehicles dedicated to Street View service, data on Wi-Fi networks These checks had revealed various shortcomings, including the capture without the knowledge of those concerned, data called “content” (IDs, passwords, login details, email exchanges).

    These observations led the CNIL to pronounce, in March 2011, a fine of € 100,000 against the company Google.
    Following this decision, Google informed the CNIL, in June 2011, she proceeded to destroy the data collected illegally.
    However, by letter dated July 27, 2012, Google warned the CNIL, and other European authorities for data protection, she was still in possession of some of the data “content” collected by the Street View cars .

    Like its British counterpart, the CNIL has asked Google to make available the data in question and to keep secure time to conduct all necessary investigations.

    This is by no means the first time CNIL has had its eye on Google. You may recall, for example, earlier this year when Google announced its changes to its privacy policy, CNIL had a big letter and questionnaire for Google to explain itself.

    A lot of people have distrusted Google’s privacy practices for years, and the whole Street View snafu only caused more alarm. This whole failure to delete data debacle certainly hasn’t helped the company’s image.

  • Google Answers Half Of France’s Questions About Privacy

    Google sent a letter to Isabelle Falque-Pierrotin, President of CNIL (Commission nationale de l’informatique et des libertés), the French administrative authority that monitors how companies collect and store personal data of users, in response to a letter and questionnaire the organization gave to Google last month regarding its privacy policy changes. The questionnaire can be read here (pdf).

    Google’s response only addresses half of the organization’s questions, however, and according to Reuters will address the rest by April 15. You can read Google’s 18-page response here (pdf).

    “In addition to our written responses, Google would, as noted in our letter of February 28, 2012, also welcome the chance to meet with the CNIL to explain and discuss Google’s approach to providing information to users,” Google says in the letter. “This is an important issue for us. We have taken a great deal of time and care in designing our approach. In our very first letter to the CNIL on this topic, we emphasised that while we did not feel able to pause the implementation of our Privacy Policy, we would welcome the opportunity to discuss how and where Google provides information to our users. We have reached out many times to the CNIL asking for a meeting to discuss this, and we make that offer again now. We would also welcome attending a Working Party plenary to discuss the concerns of European data protection authorities more generally and to answer their questions.”

    In the letter, Google goes through examples of its privacy notices to give “a better understanding of the breadth and scale” of its privacy notice architecture.

    “We encourage the CNIL to examine the totality of the information Google provides its users,
    and how we deliver it, and not just focus on one piece of it, namely the Privacy Policy,” Google says. “As the Working Party is well aware, providing all detailed privacy information relating to all Google services in one Privacy Policy document would result in a tome with dozens of pages. Instead, we think we are doing a good job on providing a readable umbrella Privacy Policy together with detailed in-product privacy notices. In any case, we are also happy to consider and discuss any comments or views of the CNIL or the Working Party with respect to additional information they consider might be helpful to provide to our users in Europe.”

    Google is dealing with a lot of regulation-related situations in Europe. The company (and its competitors) are also awaiting a decision in an antitrust investigation from the EU, due sometime after Easter.

  • European Union: New Google Privacy Policy Isn’t Lawful Or Fair

    Upon the eve of Google’s new and controversial Privacy Policy going into effect, the tech company received a resounding rebuke from the European Union yesterday as France’s regulator said that the new policy seems to violates the EU’s rules regarding data protection. Given the possibility, CNIL, the French administrative authority that monitors how companies collect and store personal data of users, was not won over by Google.

    With their initial findings not pleasing, CNIL penned a letter to Google CEO Larry Page on Monday that chided the company for failing to actually consult with authorities prior to announcing the new privacy policy. Further, CNIL suggests that Google exaggerated claims that “data protection authorities across the EU had been ‘extensively pre-briefed.’” As it were, it turns out Google only contacted a sample of the authorities and, even then, only did so mere hours before the announcement of the new privacy policy. Ultimately, CNIL declares that “Google’s new privacy policy does not meet the requirements of the European Directive on Data Protection, especially regarding the information provided to data subjects.”

    But just because the EU put Google on the ropes didn’t mean that they were going to start pulling punches. The letter continues to scold Google the way a sagacious parent might discipline a crass, ill-tempered child.

    The fact that Google informs users about what it will not do with the data (such as sharing personal data with advertisers) is not sufficient to provide comprehensive information either.

    Rather than promoting transparency, the terms of the new policy and the fact that Google claims publicly that it will combine data across services raises fears about Google’s actual practices. Our preliminary investigation shows that it is extremely difficult to know exactly which data is combined between which services for which purposes even for trained privacy professionals.

    The CNIL and the EU data protection authorities are deeply concerned about the combination of personal data across services: they have strong doubts about the lawfulness and fairness of such processing, and about its compliance with European Data Protection legislation.

    CNIL concluded by saying that they will “fully address” this issue within the next few weeks, but by then who knows what further trouble will have arisen in the muck of Google’s new policy. In the meantime, CNIL has asked Google for a “pause” in implementing the new privacy policy.

    To that last note, Peter Fleischer, Google’s global privacy counsel, said, “We have notified over 350 million authenticated Google users and provided highly visible notifications on our home page and in search results for our non-authenticated users. To pause now would cause a great deal of confusion for users.”

    No, enacting a new and poorly understood privacy policy will cause confusion for users, Mr. Fleischer. It’s not like the launch of this new privacy policy is some runaway locomotive on a downhill plummet that can’t possibly be halted without causing the collateral deaths of every passenger onboard. It’s a user policy. You most definitely can delay its application. But instead, Google has opted to amorally go with the “Gimme it, it’s mine!” approach to user privacy, information in general, and its disdain for international laws.