Led by the French, organizations in Britain, the Netherlands, Germany, Spain and Italy agreed today on the joint action, with the ultimate possibility of imposing fines or restrictions on operations across the entire 27-country European Union.
Last year the company merged 60 separate privacy policies from around the world into one universal procedure. The European organizations complain that the new policy doesn't allow users to figure out which information is kept, how it is combined by Google services, or how long the company retains it.
The fines’ financial impact on Google would be limited — French privacy watchdog CNIL has the right to fine the company up to 300,000 euros ($385,000), approximately the amount it earns in three minutes, based on its projected revenue of $61 billion this year. Britain can fine up to 500,000 pounds, but rarely does.
But successful legal action would hurt Google's image and could block its ability to collect such data until it addresses the regulators’ concerns.
Google dominates the European market for Internet searches. According to one survey, as much as 95 percent of searches in Europe are carried out through Google, compared with about 65 percent in the United States. European regulators have demanded specifics for anyone using Google on what's being collected and a simpler presentation.
Tensions between privacy and the swiftly evolving ability of companies to spin online usage data into vast profits are ramping up, especially in Europe, where privacy laws tend to be strong and nearly every country has a regulatory body. But Internet users have consistently shown a willingness to give up privacy in exchange for convenience and new online services that Google and other tech companies offer.
Google says it merged its myriad privacy policies in March 2012 for the sake of simplicity, and that the changes comply with European laws.
“There is a wider debate going on about personal data and who owns and controls personal data,” said Colin Strong, a technology analyst with GfK. “The question is the extent to which consumers understand the value of their personal data and the extent that they are happy with the trade that they're getting.”
Each of the six European states bringing legal action against Google has to make its own decision on how to handle perceived violations.
“No one is against Google's objective of simplicity. It's legitimate. But it needs to be accompanied by transparence for consumers and the ability to say yes or no,” Isabelle Falque Pierrotin, head of French privacy regulator CNIL, said in a recent interview. “Consumers have the right to know how the information is being used and what's being done with it.”
But regulations tend to lag technology, and the delay is more pronounced in a digital age when small bits of information can offer increasingly powerful — and lucrative — insights into the psyches of consumers or voters.
Proposed Europe-wide data protection legislation will take until at least 2015 to be fully implemented. In the meantime, said Falque Pierrotin, the national privacy regulators must ensure that European consumers are not vulnerable.
Johannes Caspar, a German data protection commissioner, said the company's policies were vague — it used the word ‘may’ dozens of times on a single page when describing its rights to data.
“Many users don't even know what is happening with their data and might worry that their private information is used to produce personality profiles of them,” Caspar said.
Though consumers have been using the Internet despite the loss of some data privacy, they appear worried about the potential consequences. The European Commission says 70 percent of EU citizens are concerned about the misuse of their personal data; in the United States, about 65 percent are worried, according to a January 2011 Gallup poll.
In March, Google agreed to a $7 million fine to settle a 38-state investigation in the U.S. into software that intercepted emails, passwords and other sensitive information sent over unprotected wireless networks in neighborhoods worldwide. Google blamed an engineer who rigged a data-collection program for its online mapping service that then collected communications on Wi-Fi networks from early 2008 until the spring 0f 2010.
Earlier this year, Microsoft started an ad campaign linking Google to privacy concerns, hoping to cause defections to its own programs.
Two weeks ago, a European Parliament committee signed off on continent-wide legislation that would include a “right to be forgotten,” requiring companies that operate online to show Internet users the personal information collected and, if requested, delete it. It's no simple request when information is gathered from countless computers and mobile devices and stored on servers all around the world.
In the meantime, it's unclear how far beyond fines the regulators are willing to go to impose their will on Google.
“I'm glad that the French are plucky and I'm glad that the French are pushing this,” said Anthony Mullen, an analyst with Forrester Research who advises companies on emerging technologies. “I'm not sure that Google thinks that French regulators have teeth.”