Today, the Dutch Data Protection Authority (CBP) announced it is imposing an incremental penalty payment to Google of up to 15 million euros:
The results of the investigation by the Dutch DPA, as published earlier, show that Google combines personal data of internet users, amongst others to display personalised ads. This combining not only involves people that are logged in to a Google account, but also people that use the search engine, or people that visit a (third party) website that places or reads cookies from Google.
Data about for example search queries, location data, video’s watched and e-mails can be combined with each other, while those services serve very different purposes. This combining occurs without Google adequately informing the users in advance and without the company asking for consent. This is in breach of the law.
“Google catches us in an invisible web of our personal data without telling us and without asking us for our consent. This has been ongoing since 2012 and we hope our patience will no longer be tested,” says Jacob Kohnstamm, chairman of the Dutch DPA.
Incremental penalty payment
The Dutch DPA demands that Google:
- Will ask for the unambiguous consent of users for the combining of personal data from the different Google services. This can be achieved via a separate consent screen. Unambiguous consent can’t be obtained through information about this processing in the general (privacy) terms and conditions.
- Provides clear information about the fact the YouTube is part of Google. With regard to this last point, Google seems to have already taken measures in the Netherlands.
Google has been given until the end of February 2015 to take the measures described above to end the breaches of the Dutch data protection act. After that, the Dutch DPA will verify whether Google has met all demands.
European data protection authorities
After this investigation, 6 data protection authorities, in France, Germany, the UK, Italy, Spain and the Netherlands decided to start national investigations, based on their own national data protection laws.
Google has recently sent a letter to the 6 data protection authorities, in which the company announces a large number of measures to comply with European privacy laws. The Dutch DPA has not yet established whether the proposed measures will end all the violations found by the Dutch DPA.