The watchdog has found that Google breached Dutch data protection laws by processing individuals' personal data without having a legal basis to do so and for not suitably explaining to users of its services the purposes for which they were collecting data about them.
A Google spokesman told Out-Law.com that the company acts in accordance with EU data protection laws.
"Consent – unambiguous or otherwise – requires the information to be specific and the data subject to be informed," it added. "Google does not adequately inform users about the fact that it combines personal data from different services, with or without the aid of cookies."
Last March Google replaced over 60 existing privacy policies, covering services such as YouTube and Gmail, with one single all-encompassing policy covering the collection of personal data across all its services. The changes drew criticism from privacy campaigners and led EU privacy watchdogs represented in the Article 29 Working Party to appoint the French DPA, the Commission Nationale de l’information et des Liberties (CNIL), to assess the single policy's compliance with EU data protection laws.
CNIL asked Google to take action to account for its concerns, but reported earlier this year that the company had not done so to its satisfaction. In April CNIL announced that it, the UK's Information Commissioner's Office (ICO), and watchdogs in Germany, Italy, Spain and the Netherlands had formed a taskforce and agreed to pursue the possibility of separately levying penalties on Google for allegedly acting in breach of EU data protection laws.
"Google spins an invisible web of our personal data, without our consent. And that is forbidden by law," Jacob Kohnstamm, chairman of the Dutch DPA said in a statement.
The Dutch DPA investigated specifically whether Google met data protection standards to enable it to collect and use personal data for four purposes - the personalisation of requested services, product development, display of personalised ads, and website analytics.
It assessed whether Google needed consent to process data or whether the company could rely on another legal basis for combing user data across services for the four purposes. The watchdog said Google could not rely on the 'legitimate interest' ground under data protection laws to process personal data without consent.
"Google has not argued convincingly that its legitimate interest in processing the data for the four purposes under investigation outweighs the data subject’s right to the protection of their privacy," the Dutch DPA said. "The combining of data by Google from and about multiple services and third-party websites for the purpose of displaying personalised ads, personalisation of services, product development and analytics constitutes a major intrusion into the privacy of the users involved."
"Some of these data are of a sensitive nature, such as payment information, location data and information on surfing behaviour across multiple websites. Because of the nature of the data, the diversity of the services, the lack of adequate and specific information and the lack of effective opt-outs, Google’s legitimate interest does not outweigh the data subject’s right to protection of their personal data and privacy," it said.