Blogs

Google In Breach Of The Dutch Data Protection Act

By EDRi · December 4, 2013

The Dutch Data Protection Authority has recently issued a report concluding that Google is in breach of the Dutch Data Protection Act, with its new privacy policy.

The report is a result of the investigations carried out at the initiation of the French data protection authority (CNIL) on behalf of all European data protection authorities united in the Article 29 Working Party, following the introduction of Google’s new privacy policy on 1 March 2012. After this initial investigation the results of which were published in October 2012, six national privacy authorities, in France, Spain, Italy, Germany (Hamburg), the UK, and the Netherlands, have decided to initiate national investigations, based on their own national laws.

The Dutch legislation allows information to be gathered about individuals only for a particular purpose or business goal. Google gathers data, some of which are of a sensitive nature, such as banking information, location data or surfing behaviour, for the purposes of displaying personalised ads and to personalise services such as YouTube and Search. These data can be combined through Google’s different services, although these services serve entirely different purposes from the point of view of users.

The Dutch DPA found that Google combines the personal data from internet users, collected by its various services, without adequately providing specific information about the data it collects and without obtaining the users’ previous consent. "Google spins an invisible web of our personal data, without our consent. And that is forbidden by law", says Jacob Kohnstamm, the chairman of the Dutch data protection authority. In the authority’s opinion, Google should work harder to get "unambiguous" consent from users to combine data. The consent for the combining of personal data from different Google services cannot be obtained by accepting general (privacy) terms of service.

In response, Google argued it did give users detailed information about the data it was collecting and what would be done with it. "Our privacy policy respects European law and allows us to create simpler, more effective services. We have engaged fully with the Dutch DPA throughout this process and will continue to do so going forward," was Google’s statement.

The Dutch DPA has invited Google to a hearing, before deciding whether it would take enforcement measures.

Dutch DPA: privacy policy Google in breach of data protection law (28.11.2013)
http://www.dutchdpa.nl/Pages/pb_20131128-google-privacypolicy.aspx

Dutch Data Protection Authority – Investigation into the combining of personal data by Google Report of Definitive Findings (English informal translation, 11.2013)
http://www.dutchdpa.nl/downloads_overig/en_rap_2013-google-privacypoli…

Dutch privacy watchdog says Google breaks data law (28.11.2013)
http://www.reuters.com/article/2013/11/28/us-dutch-google-privacy-idUS…

EDRi-gram 10.20: Google needs to improve its privacy practices (24.10.2012)
http://www.edri.org/edrigram/number10.20/european-dpas-google-privacy-…

Google violated Dutch data protection laws, says watchdog (29.11.2013)
http://www.bbc.co.uk/news/technology-25154252