The EU privacy regulators are not satisfied with Google's consolidated privacy policies, recommend clearer information of the users and ask Google to offer the persons improved control over the combination of data across its numerous services.
answers and described them as "incomplete" or "approximate."
Regulators claim that Google's responses to letters sent to the company did not provide satisfactory answers on key issues such as the description of its personal data processing operations or the precise list of the 60+ product-specific privacy policies that have been merged in the new policy.
The analysis of Google's answers have led EU Data protection authorities to draw their conclusions and make recommendations to Google.
"Under the current Policy, a Google service's user is unable to determine which categories of personal data are processed for this service, and the exact purposes for which these data are processed," CNIL said in a statement. "Moreover, passive users (i.e. those that interact with some of Google's services like advertising or '+1' buttons on third-party websites) have no information at all."
EU Data protection authorities ask Google to provide clearer and more comprehensive information about the collected data and purposes of each of its personal data processing operations.
The European regulators note that by combining users' data across services, Google pursues different purposes such as the provision of a service requested by the user, product development, security, advertising, the creation of the Google account or academic research. The investigation also showed that the combination of data is extremely broad in terms of scope and age of the data.
"Google must have a legal basis to perform the combination of data of each of these purposes and data collection must also remain proportionate to the purposes pursued. However, for some of these purposes including advertising, the processing does not rely on consent, on Google's legitimate interests, nor on the performance of a contract," regulators say.
Regulators ask Google to modify its practices when combining data across services for these purposes, by giving users the opportunity to choose when their data are combined, offer an improved control over the combination of data by simplifying and centralizing the right to object (opt-out) and by allowing users to choose for which service their data are combined. Google should also
adapt its tools used for the combination of data so that it remains limited to the authorized purposes, e.g. by differentiating the tools used for security and those used for advertising.
Google has also refused to provide retention periods for the personal data it processes.
Online reports also suggest that the US Federal Trade Commission (FTC) is considering its own investigation into whether Google and others have complied with guidelines for the disclosure of information about how paid advertisements appear in search results and whether the rules should be updated.