The ICO and watchdogs in France, Germany, Italy, Spain and the Netherlands have together formed a "taskforce" and agreed to pursue the possibility of separately levying penalties on Google for allegedly acting in breach of EU data protection laws.
Last March Google replaced over 60 existing privacy policies, covering services such as YouTube and Gmail, with one single all-encompassing policy covering the collection of personal data across all its services. The changes drew criticism from privacy campaigners and led French DPA, the Commission Nationale de l'Information et des Liberties (CNIL), to conclude that the single policy was not compliant with EU data protection laws. CNIL assessed the policy on behalf of all of the EU's privacy watchdogs represented in the Article 29 Working Party.
Amongst its findings, detailed in October, CNIL said that Google does not have a "valid legal basis" to combine personal data it gathers about users from their use of more than one of its services for some purposes for which the information is collected. At the time CNIL president Isabelle Flaque-Pierrotin warned that Google could face a "phase of litigation" if it did not take action to implement the recommendations within "three or four months".
However, CNIL has announced that coordinated action has now commenced. It said that Google has "not implemented any significant compliance measures" to address the concerns it had laid out in October.
"It is now up to each national data protection authority to carry out further investigations according to the provisions of its national law transposing European legislation," CNIL said in a statement. "Consequently, all the authorities composing the taskforce have launched actions on 2 April 2013 on the basis of the provisions laid down in their respective national legislation (investigations, inspections, etc.)"
"In particular, the CNIL notified Google of the initiation of an inspection procedure and that it had set up an international administrative cooperation procedure with its counterparts in the taskforce," it added.
German data protection law expert Stephan Appt of Pinsent Masons, the law firm behind Out-Law.com, said that the Hamburg DPA has not "extensively levied fines in the past", but that it had the power to do so.
"The Hamburg DPA tends to concentrate on fostering a public awareness of data protection issues by making its concerns public," Appt said. "Google and Caspar have discussed data protection issues extensively in the past. Previously he questioned Google Analytics' compliance with data protection requirements. This is due to the fact that German DPA's consider IP addresses to constitute personal data, which in consequence would trigger a need for users' consent to be given prior to the commencement of any analytic processes in the US."
"After respective negotiations with Google failed Caspar threatened to go after the users of Google analytics and respective notices were sent to companies using Google Analytics. Caspar also unveiled Google's recent Street View data breach where Google collected private information wirelessly including emails and text messages," he added.
"The German Act on telemedia allows for a fine of up to €50,000 for insufficient information about data processing in online privacy policies, which appears to be one of the allegations in the current case, whereas in case it can be established that Google's data processing is generally in breach with German data protection law the German Data Protection Act theoretically allows for a fine of up to €300,000 or even higher if the breach confers a benefit for Google exceeding that amount," the expert said.
The UK's ICO has the powers to fine organisations up to £500,000 if they deem they have been guilty of a serious breach of the Data Protection Act.
Appt added that the way the various DPAs had coordinated their efforts across the EU had given an insight into how they would work together if proposals contained in the European Commission's draft General Data Protection Regulation are introduced.
"The concept of a lead data protection authority with coordinated help from other data protection authorities will play a more important role in the future," Appt said. "We have seen this approach with the 16 different data protection authorities in Germany and believe that indeed there is a purposefully aim to foster coordinated approaches throughout Europe."