* Google pooling user data across services since March 2012
* EU regulators see policy as ‘high risk’ to user privacy
* Google says approach to user data complies with law
* Decisions on penalties, possible fines seen in summer
By Leila Abboud and Claire Davenport
France, Germany, Italy, the Netherlands, Spain and Britain said on Tuesday they began a process to decide if Google’s policy introduced in March 2012 broke national laws.
Google consolidated 60 privacy policies into one last year and started combining data collected on individual users across its services, such as YouTube, Gmail and social network Google+. It gave the users no means to opt out.
Twenty-nine European data protection regulators began a joint enquiry as a result.
The enquiry, led by France’s CNIL, found in October that Google’s new policy posed a “high risk” to the privacy of individuals, although it stopped short of declaring it illegal.
The regulators gave Google until February to propose changes but the search engine did not make any after a March 19 with national regulators.
“Regulators in six states have begun the process of looking at penalties, and each must now act based on national law,” said Isabelle Falque-Pierrotin, CNIL’s president, in an interview.
“We have put in place a countdown for Google now. Promises to change will no longer be enough.”
The six states have the power to impose fines on Google, said Falque-Pierrotin, but each must go through a local inquiry to determine that a wrong had been committed under national law even after the European joint position published in October.
They will use the joint analysis to underpin their investigations and will “not start from scratch”, she added.
Google said it would continue to cooperate with European regulators.
The year-long tussle with the Web search giant is seen by legal experts and policymakers as a test of Europe’s ability to influence the behaviour of international Internet companies.
Policymakers are debating a draft Europe-wide data protection law under which transgressors could be fined as much as 2 percent of their annual global turnover.
It would impose stricter rules on how companies collect and store customer data and would require notification of data breaches. The plan has sparked a lobbying effort by big technology companies, banks and other firms who worry it would lumber them with additional costs.
Jacob Konhstamm, head of the Dutch data protection regulator, said the fact that each state had to take enforcement action separately showed the need for the new law.
“If anybody needed an argument that the directive should change, then this is it,” he said in an interview.
A spokesman for Britain’s Information Commissioner’s Office (ICO) said it was likely to decide in the summer what action, if any, to take against Google. The highest penalty the ICO can impose is 500,000 pounds ($756,400).
France’s CNIL has begun its action against Google and the next likely step would be to notify the search engine that it is in violation of local law, giving it three months to respond before fines can be applied. The maximum fine is 300,000 euros.
Italy and Spain also confirmed in emailed statements that they had begun local enforcement actions.