Google's privacy policy breaches the Dutch data protection act, the Dutch Data Protection Authority (Dutch DPA) concluded in an inverstigation. Dutch DPA found that Google combines the personal data from internet users that are collected by all kinds of different Google services, without adequately informing the users in advance and without asking for their consent.

"Google spins an invisible web of our personal data, without our consent. And that is forbidden by law", says the chairman of the Dutch data protection authority, Jacob Kohnstamm. The Dutch DPA has invited Google to attend a hearing, after which the authority will decide whether it will take enforcement measures.

According to Dutch DPA's report, "Google combines personal data relating to internet users that the company obtains from different services. Google does this, amongst others, for the purposes of displaying personalised ads and to personalise services such as YouTube and Search."

However, some of these data is sensitive - payment information, location data and information. On top of that, "Google does not offer users any (prior) options to consent to or reject the examined data processing activities," the Dutch watchdog added.

In January 2012, Google announced that by 1 March 2012 a new privacy policy would apply to all users worldwide.

The French data protection authority (CNIL) then initiated an investigation on behalf of all European data protection authorities (united in the Article 29 Working Party). This resulted in findings, that have been published in October 2012. After this initial investigation (with reference to the European Privacydirective), six national privacy authorities, in France, Germany (Hamburg), the UK, Italy, Spain and the Netherlands have decided to initiate national investigations, based on their own national laws.

In France, the maximum fine is 300,000 euros, whereas in the Netherlands Google would have been fined about a million euros for a similar breach if it had not subsequently complied.