“Google has not implemented any significant compliance measures,” said a statement from France’s regulator CNIL, referring to a document in which the EU-wide data protection committee published last October, but has provoked no alterations to the text of the policy.
“It is now up to each national data protection authority to carry out further investigations according to the provisions of its national law transposing European legislation.”
The six bodies will now be able to impose fines numbering in the hundreds of thousands of Euros on Google, though more importantly they can also restrict it from collecting users’ data – a vital part of the search engine’s business model.
"We have put in place a countdown for Google now. Promises to change will no longer be enough," Isabelle Falque-Pierrotin, CNIL's president, told Reuters.
CNIL says the legal action followed an unsuccessful last-ditch negotiation with the company’s representatives on March 19, but Google does not believe it is breaking the law.
Regulators have said that the new policy, which also unified the logins of any users of over 70 different services, allowed Google to collect a vast array of data and store it for an indeterminate amount of time, as well as combining it in ways that are not clarified to the user when they signed up. The watchdogs have called the data gathering “disproportionate”, and say that it poses a “high risk” to customers.
But before the regulating bodies can take any action, they will have to legally prove that Google is breaking the law, or at least has put itself in a position to do so, though Falque-Pierrotin has declared that significant evidence has already been gathered, an investigation will "not start from scratch”.
The European Commission is also in the process of developing new
tough regulations on internet services that would force them to
introduce more end-user control, such as the Right to be Forgotten
(forcing the company to delete all traces of a user who has decided
to quit a service) and penalize them up to 2 percent of annual
global turnover if they refuse to do so. The policy, known as the
General Data Protection Regulation, may be introduced as early as