The coverage today of the CNIL letter to Larry Page (embedded below) is all over the map, with some outlets focused on hypothetical future drama and action that might be taken if Google makes no changes. For example the BBC quotes CNIL’s president Isabelle Falque-Pierrotin, saying that Google has “‘three or four months’ to make the revisions, otherwise ‘authorities in several countries can take action against Google.'”
The European authorities also express some confusion or mystification over what Google is doing with the data and want the company to be more clear with them and the public generally. In relatively plain English the following are central recommendations coming from CNIL and the other EU data protection authorities:
- Commit publicly to privacy principles advocated by the EU data protection authorities
- Tell users what data are being collected and how they’re being used
- Give users the ability to consent or opt-out of Google’s uses of combined personal/behavioral data (in other words give users more control)
- Identify the data retention periods of the combined data and comply with European data retention standards
Google has said it’s studying the document and will continue to work cooperatively with European authorities. It’s quite possible, however, that Google won’t change anything significant and simply keep talking to the various European data protection authorities. There’s really no stick here compelling them to do much of anything given that there’s no finding of illegality.
The implication of some of the public statements made by CNIL president Isabelle Falque-Pierrotin in particular, however, is that Google has a limited window to “comply” with Europe’s request and if it fails to do so there might be subsequent action. For now CNIL has only asked for Google to give it some indication of how the company might address the concerns and recommendations expressed in the letter.
CNIL president Isabelle Falque-Pierrotin said regulators were prepared to talk to Google, adding: “If Google does not conform in the allotted time, we will enter into the disciplinary phase”.
Some national data protection regulators including those in Belgium, France and the Netherlands have, in the past, imposed fines on companies that have breached rules. Such sanctions cannot be imposed EU-wide.