Google ordered by German authority to change privacy practices

Google loses yet another round in its regulatory fight over privacy policy changes in Europe

google privacy

A German data protection authority has ordered Google to change how it handles users' private data in the country by the end of the year.

The administrative order was issued on Wednesday by the Hamburg Commissioner for Data Protection and Freedom of Information, Johannes Caspar, in order to force Google to comply with German data protection law and give users more control over their data.

Google started combining policies for various services when it changed its privacy policy in 2012, despite the concerns of European Union data protection authorities. At least six authorities then started formal investigations into the new policy. Hambur of which Hamburg was one of them.

The Hamburg data protection commissioner originally issued the order against Google in September last year, but Google decided to oppose it. Its objection was overruled by the authority.

The company is now obliged to make the necessary changes in order to process data of German users on a valid legal basis, Caspar said.

The big problem is that Google gave itself the right to merge personal data gathered by all the different company services that an individual uses, to build a complete profile on someone without obtaining that person's consent do so, Caspar said. This leads to a situation in which people reveal almost everything that they have done on the Internet to Google without really knowing what the company is doing with all the data, he added.

By the end of the year, Google must get additional informed and explicit consent from its users to combine personal data from different Google services or limit the combination and processing of that data if such consent is not given. Meanwhile it also has to be more transparent about what it does with the data, Caspar said.

If Google disagrees, it can fight the order in a German administrative court within one month.

Google did not immediately respond to a request for comment.

The company, though, has already told the Hamburg authority as well as other European data protection authorities that it plans to make substantial changes to its policy to meet their requirements. Those plans were presented to the authorities late last month, but it remains to be seen whether Google's proposed changes are sufficient, Caspar said.

In a string of actions against Google's data collection policy, the company was already fined in France and Spain over similar privacy issues.

Earlier this year, Google agreed to comply with changes to its policy in the U.K. and in Italy, while the Dutch privacy authority threatened a fine of up to €15 million (a little more than US$16 million) if Google does not change its policy.

Loek is Amsterdam Correspondent and covers online privacy, intellectual property, online payment issues as well as EU technology policy and regulation for the IDG News Service. Follow him on Twitter at @loekessers or email tips and comments to loek_essers@idg.com

To express your thoughts on Computerworld content, visit Computerworld's Facebook page, LinkedIn page and Twitter stream.
Windows 10 annoyances and solutions
Shop Tech Products at Amazon
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.