Google should provide users with more information about its policies, stop combining information from different sources when it is not legally justified, and guarantee to delete personal data after set periods, the authorities told Google on Tuesday in a formal letter to CEO Larry Page signed by the members of the Article 29 Working Party (A29WP), which brings together data protection authorities from across the European Union.
In February, the authorities wrote to Google asking it to delay introduction of the policy, warning that it appeared to breach European privacy laws. Google refused, prompting the A29WP to ask the French National Commission on Computing and Liberty (CNIL) to conduct a full investigation.
"I regret that Google did not want to wait. It would have been much better otherwise for the privacy of hundreds of millions of users of Google's services," said Jacob Kohnstamm , chairman of the A29WP and also head of the Dutch data protection authority, at a news conference in Paris.
Google didn't cooperate fully with the investigation, said CNIL president Isabelle Falque-Pierrotin. Despite being sent detailed questionnaires about its policies, it replied with examples and not precise statements.
In the March policy changes, Google combined many different privacy policies in one, and said it may use information from many different sources to modify the behavior of any its services.
European privacy law allows such combination of data in certain cases, including where the user requests it, for security, for the provision of a Google account and for academic research.
However, there are four cases in which explicit consent is required from the service user, said Falque-Pierrotin, including product development, advertising and analytics. Google should seek that consent from its users before combining data to those ends, and also provide them with a way to opt out, Falque-Pierrotin said.
The company should also explain more clearly what data it stores, and for how long, she said.
The members of the A29WP only sent their letter to Page on Tuesday, but they had already presented their recommendations to Google on Sept. 19, she said.
Those recommendations include ensuring that it complies with Article 5(3) of the European ePrivacy Directive, the so-called Cookie Directive; rolling out to all countries the version of Google Analytics designed to meet German privacy laws, and simplifying opt-out procedures and making them all accessible from a single page.