Janene Van Jaarsveldt reports:
Google has improved its privacy policy after the Dutch Data Protection Authority threatened the company with a 15 million euro fine, the Authority reported on Thursday.
According to the Authority, google has already applied a number of the suggested measures, AD reports. The internet giant has updated the information on its privacy policy and now also asks new users’ permission to combine their personal data throughout Google services.
Google’s not totally out of the woods yet, though. Read more on NL Times.
A statement on the Dutch Data Protection Authority site explains:
As a result of an incremental penalty payment imposed by the Dutch Data Protection Authority (Dutch DPA) Google has partly ended earlier established infringements on the privacy of individuals. The Dutch DPA had imposed this incremental penalty payment regarding Google’s new privacy policy. The company has now adapted the information in its privacy policy following the demands of the Dutch DPA. Furthermore Google started a privacy campaign. Google intends to end the remaining infringement by informing people about the use of their personal data and by asking them for their informed consent. Google has until the end of December 2015 to obtain the unambiguous consent of all of its users step by step. In the coming months the Dutch DPA will monitor whether this will be done properly and will also verify if the privacy infringement will indeed be ended.
Infringements
The results of the investigation by the Dutch DPA, which were published earlier, showed that Google combines personal data of internet users, to, amongst others, display personal ads. This combining occurred without Google adequately informing the users in advance and without the company asking for their consent. This is in violation of the law.
The practice of combining personal data does not only involve people that are logged in to a Google account, but also people that use Google’s search engine, or visit a (third party) website that places or reads cookies from Google. Data about for example search queries, location data, video’s watched and e-mails sent and received can be combined with each other, while those services serve very different purposes.
Measures
The Dutch DPA had imposed an incremental penalty payment on Google that could amount to 15 million euros. Following this, Google has taken several of the measures demanded by the Dutch DPA. For example, Google has adapted the information in its privacy policy and clarifies that YouTube is a Google service. Google now also asks new users that create a Google account for consent to combine their personal data.
During a legal procedure started by Google, appealing against the incremental penalty payment imposed, the Dutch DPA partly revoked the imposed incremental penalty payment for the remaining infringement by extending the deadline within which Google has to obtain unambiguous consent of all of its users to the end of December.
This means that all users of Google services must have had the opportunity to give their unambiguous consent for the combining of their personal data not later than by the end of December 2015.
If Google does not properly obtain consent, the company risks a penalty payment of 5 million euros. For the moment, Google does not need to make any penalty payments.