In addition CNIL published a document containing recommendations (9-page / 437KB PDF) it said Google should adopt to remedy the concerns expressed by it and the other privacy watchdogs.
Google faces a "phase of litigation" if it does not take action to implement the recommendations with the next "three or four months," CNIL president Isabelle Flaque-Pierrotin warned, according to a report by the Daily Telegraph.
The Article 29 Working Party is a committee made up of representatives from the data protection authorities based in the EU's 27 member states.
CNIL said that Google does not have a "valid legal basis" to combine personal data it gathers about users from their use of more than one of its services for some purposes for which the information is collected.
It said Google should seek the consent of its users in order to combine their personal data collected from the various services it operates where users lack "direct knowledge" that their data will be combined. This includes where Google uses the combination of data collected to provide personalised search results, CNIL said.
In addition, consent of users is required in order for Google to legitimately combine personal data gathered from across services for advertising and analytics purposes or for the purpose of "marketing innovation and product development".
"We are confident that our privacy policies respect European law," Google said, according to the report.
Data protection law specialist Marc Dautlich of Pinsent Masons, the law firm behind Out-Law.com, said that CNIL's leading of the EU investigation was indicative of a new approach to enforcement which will become more prominent under planned reforms to the EU's data protection regime.
"The choice of CNIL to co-ordinate the European data protection authorities (DPAs) was in itself a sign of things to come," Dautlich said. "The logical choice would have been the Irish authority as Google's EU headquarters are established there. CNIL, though, is widely considered to take robust positions on privacy matters, more so than, say, the ICO in the UK."
"The European DPAs do not, by a long stretch, have equal powers to sanction, or resources to investigate, so co-ordinating across all 27 in this way is the beginning of a new era: combined pressure on Google is more effective than unilateral action, although the Germans have of course done the latter too, in relation to Google Analytics, referred to in the recommendations in the letter," he said.
"The characteristics of the new era are co-ordinated activity by DPAs and early publication of the chargesheet, compared with the old era – typically users protecting themselves by, for example, organising themselves on Facebook to reject features of OpenGraph introduced by Facebook or similar user-led actions," the expert added.
"The irony is that the proposed EU General Data Protection Regulation, with its stiff requirements in relation to consent, including online, is actually likely, in the digital world, to benefit the larger, almost exclusively US, platform businesses such as social networks, search engines and email services," he added. "They are the parties with the scale and reach who are best placed to login users and obtain the quality of consent required under the proposed Regulation."
"Smaller players, which includes all the Europeans, typically offer services and content that users may feel more able to make more nuanced privacy choices about, and perhaps less pressure to accept as offered," Dautlich said.
Under the draft General Data Protection Regulation a new system whereby DPAs from across the EU could cooperate on regulatory activities would be established.
DPAs would have responsibility for regulating companies that have their "main establishment" in that country, but would also be required to provide one another with "mutual assistance" so as not to inconsistently apply the laws in different countries. If individuals in more than one member state were likely to be affected by decisions taken by one authority, other authorities in those countries would have the right to participate in joint operations. Only the authorities in countries where the organisations have their main establishment would take regulatory action, though, unless the authority confers power on a sister regulator in another state.
"The CNIL, all the authorities among the Working Party and data protection authorities from other regions of the world expect Google to take effective and public measures to comply quickly and commit itself to the implementation of these recommendations," CNIL said in a statement.