Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Fined By French Privacy Regulator

Posted by Unknown on from the clause-37c-google-owns-your-firstborn dept.

First time accepted submitter L-One-L-One writes "Following similar decisions in Spain and the Netherlands, Google was fined 150,000 euros by the French Data Protection authority today for breaching data protection legislation. This sanction follows a long inquiry triggered by Google's decision to change its privacy policy in March 2012. The authority notably considers that the new policy 'does not sufficiently inform its users of the conditions in which their personal data are processed, nor of the purposes of this processing,' and that Google combines 'all the data it collects about its users across all of its services without any legal basis.' While the fine may be barely noticeable for Google, the authority requires the search giant to publish this decision on Google's French homepage, google.fr for 48 hours within the next 8 days."

7 of 55 comments (clear)

  1. Re:seems like a weird sanction by pavon · · Score: 2

    Yeah that was my reaction as well. The link has slightly more information, and seems to imply that the current policy may comply with French Law, but the way the change took place did not:

    On the substance of the case, the Sanctions Committee did not challenge the legitimacy of the simplification objective pursued by the company’s merging of its privacy policies.
    Yet, it considers that the conditions under which this single policy is implemented are contrary to several legal requirements:

    If that is true, then the change was a one time offense, and a one-time remedy is fitting. That said, I think the remedy ought to have included a "redo" of the policy change not just a fine; declare that Google's users may choose to be bound by either the old or new policy until Google enacts the change in a manner that is in compliance with the law.

  2. Re:seems like a weird sanction by arielCo · · Score: 5, Informative

    They were ordered in June to comply with the French Data Protection Act within three months. Specifically, to:

    * Define specified and explicit purposes to allow users to understand practically the processing of their personal data;
    * Inform users by application of the provisions of Article 32 of the French Data Protection Act, in particular with regard to the purposes pursued by the controller of the processing implemented;
    * Define retention periods for the personal data processed that do not exceed the period necessary for the purposes for which they are collected;
    * Not proceed, without legal basis, with the potentially unlimited combination of users’ data;
    * Fairly collect and process passive users’ data, in particular with regard to data collected using the “Doubleclick” and “Analytics” cookies, “+1” buttons or any other Google service available on the visited page;
    * Inform users and then obtain their consent in particular before storing cookies in their terminal.

    Source

    --
    This post contains no rudeness or derision of any kind. All arguments are friendly. Terms and exclusions may apply.
  3. Re:seems like a weird sanction by Cochonou · · Score: 3, Informative

    By the letter of the law, the CNIL has a very specific status: this 150 000 € fine is the maximum they can impose.
    They can also impose up to 300 000 € fines in case of second offenses, so I as I understand it, Google could be fined again if they keep the offending policy. This would require a new deliberation of the CNIL. They just cannot impose a fine per day of non-compliance like a court would.

  4. Re:no legal basis by X-chan · · Score: 2

    I'm not a specialist about laws so I could be wrong, but we do have a bunch of privacy laws which states quite explicitely what you can and can't do with the data you collected. Each database containing private data must be declared to the CNIL, stating what kind of info you're gathering, for which purpose, etc. So you just can't acquire and merge a bunch of databases without any kind of justification because their combination would be a much greater threat to privacy than both databases separated.

  5. Re:seems like a weird sanction by Anonymous Coward · · Score: 2, Informative

    I can name you hundreds of sites. This is a law in the Netherlands also, and every Dutch site asks for your permission. Want to try one: www.volkskrant.nl (a Dutch newepaper). Isn't it great when your government actually cares about your privacy.

  6. Re:no legal basis by duranaki · · Score: 2

    Thanks for your comment, gave me something to look up: http://en.wikipedia.org/wiki/CNIL :) I'm still unsure on the language of the complaint, but I suppose the privacy laws may specifically outlaw connecting separate databases without some legally defined justification, and Google hasn't provided a legal basis that would grant them an exclusion. Of course I'm no expert either, especially in the field of French law. I wish one of those reporters would flush out the specific violation in this area.

  7. Re:Not 'chump change' by lgw · · Score: 2

    Effectively France is just policing fraud as they see it. If Google isn't honestly disclosing what they do with your information, then it's legitimate to think of this under the umbrella of "fraud prevention".

    I'm all for free markets with minimal regulation, but fraud prevention is absolutely a legitimate place for the government to be sticking its nose in. Just like contract enforcement, and standardization of weights and measures, you can't have a free market without a government fulfilling this role.

    --
    Socialism: a lie told by totalitarians and believed by fools.