Brussels, 20/06/2013 (Agence Europe) - The issue of reforming European data protection rules has been getting bogged down, while at the same time, several personal communications monitoring scandals have broken out, such as the PRISM programme. The French Data Protection Authority (CNIL), which provides guidance to European networks in this field, has decided to take action against the US giant, Google. In a press release the CNIL stated that, on Thursday, it had sent the US company a warning letter in which it demands the company to comply with the French data protection act within the next three months
The CNIL points out that, “from February to October 2012, the Article 29 Working Party (“WP29”) investigated into Google's privacy policy with the aim of checking whether it met the requirements of the European data protection legislation. On the basis of its findings, published on 16 October 2012, the WP29 asked Google to implement its recommendations within four months”. Following fresh exchanges between Google and a taskforce led by the CNIL, the Data Protection Authorities from France, Germany, Italy, the Netherlands, Spain and the United Kingdom have each launched enforcement actions against Google. Whilst awaiting new reform, legal action for breach of rules must be on a country by country basis. In January 2012, the Commission proposed that a single authority should be competent for all the others. Not all member states, however, are in a position to introduce penalties in the event of data protection rules being violated.
With regard to the CNIL and French rules, Google's breaches of the French data protection act prevents individuals from knowing how their personal data may be used and from controlling such use. The CNIL is therefore called on the US company to: - define specified and explicit purposes to allow users to understand practically the processing of their personal data; - inform users, in particular with regard to the purposes pursued by the controller of the processing implemented; - define retention periods for the personal data processed that do not exceed the period necessary for the purposes for which they are collected; - not proceed, without legal basis, with the potentially unlimited combination of users' data; - fairly collect and process passive users' data, in particular with regard to data collected using the “Doubleclick” and “Analytics” cookies, “+1” buttons or any other Google service available on the visited page; - inform users and then obtain their consent in particular before storing cookies in their terminal.
The press release also indicated that, “if Google Inc. does not comply with this formal notice at the end of the given time limit, CNIL's Select Committee, in charge of sanctioning breaches to the French Data Protection Act, may issue a sanction against the company”.
Speaking on Twitter, Commissioner Viviane Reding said that this announcement again proves that there is no time to lose with reform of the 1995 directive. Member states and political groups at the European Parliament, however, are still extremely divided about what course of action to take and the line that future European rules in this area should take. (SP/transl.fl)