France’s Commission Nationale de l’Informatique (CNIL) is examining Google’s new approach to privacy on behalf of data protection regulators of the 27 European Union member states to determine if it conforms with European law.
The CNIL review could lead to financial penalties or administrative sanctions for the U.S. search giant, but it is not clear whether they would be imposed collectively or if individual states would seek their own fines.
The CNIL can impose fines of up to 300,000 euros ($382,200), and other European regulators can levy higher penalties.
“All options are on the table,” said CNIL president Isabelle Falque-Pierrotin told Reuters in an interview.
“We are not totally satisfied with their responses so we have set up this meeting to discuss the issues with Google.”
Google has already provided a 94-page response to a CNIL questionnaire on the new policy, which took effect in March.
“We want to untangle the precise way that specific personal data is being used for individual services, and examine what the benefit for the consumer really is,” added Falque-Pierrotin.
Under its new system, Google consolidated 60 privacy policies into one and completed its ability to pool the data collected on users across its services, including YouTube, Gmail and its social network Google+
The Mountain View, California-based search giant says this allows it to better tailor search results and improve services for consumers. Users are not allowed to opt out.
The move was met with concern not only from Europe, but also from U.S. lawmakers and regulators as far afield as Japan, Canada and Argentina.
Anthony House, a Google spokesman, said the company welcomed the meeting with the CNIL and was confident its privacy notices “respected the requirements of European data protection law”.
“The meeting will give us chance to put things into context and explain the broader actions we are taking to protect our users’ privacy,” he said.
After meeting with Google On May 23, the CNIL will provide an update to the broader group of 27 European data protection regulators from Europe’s member states at a meeting set for early June.
Asked how long Europe’s review would take, Falque-Pierrotin said it depended on how the meeting with Google went. If the CNIL can reach a final analysis quickly, then it will present a final opinion to the broader group in June or a preliminary view to if more work was needed.
The debate over data privacy comes at a delicate time for Google, whose business model is based on giving away free search, email, and other services while making money by selling user-targeted advertising.
It is already being investigated by the EU’s competition authority over how it ranks search results and whether it favors its own products over rival services.
The European Union is also in the process of writing a new law to tighten data protection online, which includes creating a so-called right to be forgotten. That would allow people under some circumstances to request the removal of data they had submitted or posted on websites.
“Our aim is not to single out or demonize one technology company more than another,” said Falque-Pierrotin. “People are waking up to the fact that their whole lives are online and becoming more sensitive about it.”
Reporting by Claire Davenport, Leila Abboud, and Gwenaelle Barzic; Writing by Geert De Clercq; Editing by Mike Nesbit