France and Spain led a Europe-wide push on Thursday to get U.S. Internet giant Google to change its policies on collecting user data.
News that the U.S. National Security Agency under the PRISM surveillance program secretly gathered user data from nine U.S. companies, including Google, to track people's movements and contacts makes the timing especially sensitive for Google.
France's data protection watchdog (CNIL) said Google had broken French law and gave it three months to change its privacy policies or risk a fine of up to 150,000 euros ($200,000).
Spain's Data Protection Agency (AEPD) told Google it would be fined between 40,000 euros and 300,000 euros for each of the five violations of the law, that it had failed to be clear about what it did with data, may be processing a “disproportionate” amount and holding onto it for an “undetermined or unjustified” period of time.
Google could face fines totalling several million euros.
“By the end of July, all the authorities within the [EU data protection] task force will have taken coercive action against Google,” said CNIL President Isabelle Falque-Pierrotin.
Last year, Google consolidated its 60 privacy policies into one and started combining data collected on individual users across its services, including YouTube, Gmail and social network Google+. It gave users no means to opt out.
National data protection regulators in Europe began a joint inquiry as a result. They gave Google until February to propose changes but it did not make any. Google had several meetings with the watchdogs and argued that combining its policies made it easier for users to understand.
The CNIL's move is seen by legal experts and policymakers as a test of Europe's ability to influence the behavior of international Internet companies.
Britain is still considering whether its law has been broken and will write to Google soon with its findings, the CNIL said.
And Google is due to answer allegations on the issue in a German court hearing late next week, a spokesman for the country's data protection regulator said.
Google said it would continue to work with the authorities in France and elsewhere.
CNIL's Falque-Pierrotin said the Prism scandal had highlighted the fact people were hungry for more transparency and for there to be ring-fences around their personal data.
European citizens and leading politicians have expressed outrage that they have no legal rights to protect themselves from such spying, and U.S. President Barack Obama was forced to defend PRISM at length during a news conference on a trip to Germany on Wednesday.
“There is a mass of personal information floating about on people in the Google galaxy that people are not even aware of,” Falque-Pierrotin said. “All we are saying to Google is that we would like it to lift the veil a little on what it's doing.”
Chief among CNIL's concerns was the way Google combines anonymous data from users' browsing histories across its services to better target advertising.
Penalties cannot be imposed EU-wide and must be done country by country. But the European Parliament is debating a draft data protection law under which transgressors could be fined as much as two percent of their yearly global turnover.
Privacy issues are not Google's only legal headache in Europe. It is seeking to settle a three-year probe with antitrust regulators into whether it squeezes out online rivals in search results. Brussels has also started looking into Google's Android software that runs mobile phones, to see if it crimps competition in the handset market.