European Union data protection authorities have found legal problems with Google’s new privacy policy and asked the company to make changes, a letter from a majority of the bloc’s national regulators said.
The letter, which stopped short of declaring Google’s approach to collecting user data illegal, comes after a nine-month investigation led by France’s Commission Nationale de l’Informatique (CNIL) on behalf of the EU’s regulators.
Google must spell out its intentions and methods for combining data collected from its various services, and the web search giant must ask its users for explicit consent when bundling their data together, the regulators say in the letter sent to Google.
“Combining personal data on such a large scale creates high risks to the privacy of users,” says the letter, signed by 24 of EU’s 27 data regulators plus those of Croatia and Liechtenstein. It has not yet been signed by data regulators from Greece, Romania and Lithuania.
“Therefore, Google should modify its practices when combining data across services for these purposes.”
In February, the French regulator CNIL told Google it would lead a European-wide investigation of Google’s update to its new privacy policy and would send it questions by mid-March.