Out-Law News 3 min. read

Unambiguous consent cannot be gleaned from consumers' agreement to privacy policy terms, says Dutch watchdog


Businesses cannot claim that consumers have given their unambiguous consent to the processing of their personal data on the sole basis that they have accepted privacy policy terms and conditions, the Dutch data protection authority (DPA) has said.

The watchdog has found that Google breached Dutch data protection laws by processing individuals' personal data without having a legal basis to do so and for not suitably explaining to users of its services the purposes for which they were collecting data about them.

A Google spokesman told Out-Law.com that the company acts in accordance with EU data protection laws.

"Our privacy policy respects European law and allows us to create simpler, more effective services," the spokesman said. "We have engaged fully with the Dutch DPA throughout this process and will continue to do so going forward."

In one of its findings, the Dutch DPA said that Google could not claim users had given their unambiguous consent to the use of their data simply because they accepted the terms of use for its services and its privacy policy.

"It is evident from the legislative history that unambiguous consent cannot be obtained through general terms of service," the Dutch watchdog said in an informal English-language document detailing the findings of its investigation into Google's privacy policy (98-page / 8.59MB PDF). "The legislative history also tells us that ‘unambiguous’ means that the data controller may not assume consent based on the failure to act or silence on the part of the data subject. However, Google assumes tacit consent and offers, at most, partial opportunities to opt out."

"Consent – unambiguous or otherwise – requires the information to be specific and the data subject to be informed," it added. "Google does not adequately inform users about the fact that it combines personal data from different services, with or without the aid of cookies."

Last March Google replaced over 60 existing privacy policies, covering services such as YouTube and Gmail, with one single all-encompassing policy covering the collection of personal data across all its services. The changes drew criticism from privacy campaigners and led EU privacy watchdogs represented in the Article 29 Working Party to appoint the French DPA, the Commission Nationale de l’information et des Liberties (CNIL), to assess the single policy's compliance with EU data protection laws.

CNIL asked Google to take action to account for its concerns, but reported earlier this year that the company had not done so to its satisfaction. In April CNIL announced that it, the UK's Information Commissioner's Office (ICO), and watchdogs in Germany, Italy, Spain and the Netherlands had formed a taskforce and agreed to pursue the possibility of separately levying penalties on Google for allegedly acting in breach of EU data protection laws.

The Dutch DPA has now determined that Google's privacy policy breaches the Dutch Data Protection Act and said it will decide whether to impose penalties after hearing what Google has to say in response during a meeting the company has been invited to attend.

"Google spins an invisible web of our personal data, without our consent. And that is forbidden by law," Jacob Kohnstamm, chairman of the Dutch DPA said in a statement.

The Dutch DPA investigated specifically whether Google met data protection standards to enable it to collect and use personal data for four purposes - the personalisation of requested services, product development, display of personalised ads, and website analytics.

It assessed whether Google needed consent to process data or whether the company could rely on another legal basis for combing user data across services for the four purposes. The watchdog said Google could not rely on the 'legitimate interest' ground under data protection laws to process personal data without consent.

"Google has not argued convincingly that its legitimate interest in processing the data for the four purposes under investigation outweighs the data subject’s right to the protection of their privacy," the Dutch DPA said. "The combining of data by Google from and about multiple services and third-party websites for the purpose of displaying personalised ads, personalisation of services, product development and analytics constitutes a major intrusion into the privacy of the users involved."

"Some of these data are of a sensitive nature, such as payment information, location data and information on surfing behaviour across multiple websites. Because of the nature of the data, the diversity of the services, the lack of adequate and specific information and the lack of effective opt-outs, Google’s legitimate interest does not outweigh the data subject’s right to protection of their personal data and privacy," it said.

Google has previously said that it consulted with EU DPAs on its privacy policy plans prior to launching a public information awareness campaign on its intended changes at the time and claimed that it heard no objections from the watchdogs during that time. It decided to press ahead with the changes in March 2012 despite receiving a letter from the watchdogs shortly prior to the launch which raised initial concerns about the policy and asked for more time to investigate its implications.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.