In a letter seen by Media Week, addressed to Larry Page, chief executive of Google, the data regulators have outlined practical recommendations to ensure the search giant adheres to data protection policy in the EU.
Google collaborated with the Working Party’s investigation, by answering two questionnaires sent by the CNIL. However the letter claimed the investigation unveiled "several legal issues" with the new policy and the combination of data.
It said: "The investigation showed that Google provides insufficient information to its users (including passive users), especially on the purposes and the categories of data 2 being processed."
In the search for simplicity, it said, internet companies should not "avoid the respect of their duties".
The investigation also confirmed the regulators’ concerns about the combination of data across services saying that Google collects vast amounts of personal data about internet users, which is not proportionate for its processes.
It said Google did not set any limits to the combination of data or provide clear tools to enable users to control it.
The letter calls on Google to modify its practises when combining data across its services. It recommends simplifying opt-out mechanisms, collect explicit user consent for the combination of data for certain purposes, limit data collected for passive users,
The letter said: "As data protection regulators, we expect that Google takes the necessary steps to improve information and clarify the combination of data, and more generally ensure compliance with data protection laws and principles. To that end, we list below our practical recommendations."
"We recognise Google’s key role in the online world. Our recommendations do not seek to limit the company’s ability to innovate and improve its products, but rather to strengthen users’ trust and control, and to ensure compliance with data protection legislations and principles."
Speaking to Media Week, Nick Pickles, director of privacy group Big Brother Watch, said the data regulators across Europe will have varying powers of how they can enforce Google to change its policy if it does not respond to the recommendations.
"This is the first time a multinational company could fall foul of EU data protection laws and it will be a big test for the regulators to make sure it can enforce this policy on a company outside of the EU.
"It's absolutely right that European regulators focus on ensuring people know what data is being collected and how it is being used. Unless people are aware just how much of their behaviour is being monitored and recorded it is impossible to make an informed choice about using services."
Google has been given a number of months to respond to the recommendations.Follow @shearmans
This article was first published on