The ICO can serve organisations with a monetary penalty of up to £500,000 if it deems them to be guilty of a serious breach of the Data Protection Act.
Last March Google replaced over 60 existing privacy policies, covering services such as YouTube and Gmail, with one single all-encompassing policy covering the collection of personal data across all its services. The changes drew criticism from privacy campaigners and led EU privacy watchdogs, including the ICO, represented in the Article 29 Working Party to appoint French DPA the Commission Nationale de l’information et des Liberties (CNIL) to assess the single policy's compliance with EU data protection laws.
In April CNIL announced that it, the ICO, and watchdogs in Germany, Italy, Spain and the Netherlands had formed a "taskforce" and agreed to pursue the possibility of separately levying penalties on Google for allegedly acting in breach of EU data protection laws.
The DPAs in the Netherlands and Italy are also both in the middle of processes that could eventually see Google sanctioned, whilst Hamburg's Data Protection Commissioner has also initiated an administrative action against the company and said that it will decide whether to further pursue enforcement options based on what Google has to say in a hearing.