The Dutch legislation allows information to be gathered about individuals only for a particular purpose or business goal. Google gathers data, some of which are of a sensitive nature, such as banking information, location data or surfing behaviour, for the purposes of displaying personalised ads and to personalise services such as YouTube and Search. These data can be combined through Google’s different services, although these services serve entirely different purposes from the point of view of users.
The Dutch DPA found that Google combines the personal data from internet users, collected by its various services, without adequately providing specific information about the data it collects and without obtaining the users’ previous consent. "Google spins an invisible web of our personal data, without our consent. And that is forbidden by law", says Jacob Kohnstamm, the chairman of the Dutch data protection authority. In the authority’s opinion, Google should work harder to get "unambiguous" consent from users to combine data. The consent for the combining of personal data from different Google services cannot be obtained by accepting general (privacy) terms of service.
The Dutch DPA has invited Google to a hearing, before deciding whether it would take enforcement measures.
Dutch Data Protection Authority – Investigation into the combining of personal data by Google Report of Definitive Findings (English informal translation, 11.2013)
Dutch privacy watchdog says Google breaks data law (28.11.2013)
EDRi-gram 10.20: Google needs to improve its privacy practices (24.10.2012)
Google violated Dutch data protection laws, says watchdog (29.11.2013)