Six European data protection authorities will conduct formal investigations of Google's privacy policy after the company repeatedly rejected their requests that it reverse changes it made to the policy last March, they announced Tuesday.
Data protection authorities in France, Germany, Italy, the Netherlands, Spain and the U.K. have resolved to conduct investigations or inspections of Google's privacy policy, following an initial investigation by the French data protection authority. The precise nature of the actions will depend on how the European Data Protection Directive has been transposed in their respective national laws.
In Germany, Hamburg's Commissioner for Data Privacy and Freedom of Information said it will review the way in which Google processes users' data. Although Google seeks their consent, it is impossible for users to foresee the scope of this consent, Commissioner Johannes Caspar warned in a news release.
Analyses compiled by the French National Commission on Computing and Liberty (CNIL) raise questions about the legality of Google's processing of personal data, Caspar said.
The six countries will now take a close look at Google's compliance with the law. "Should the data protection concerns be confirmed, appropriate supervisory measures may be taken in the individual member states," he said.
The CNIL also said it has notified Google of the initiation of an inspection procedure.
The U.K.'s Information Commissioner's Office followed suit. An ICO spokesman confirmed the investigation into whether the March 2012 privacy policy is compliant with the Data Protection Act, and added, "As this is an ongoing investigation it would not be appropriate to comment further."
The Dutch data protection authority was similarly circumspect: "We are starting an investigation," said spokeswoman Lysette Rutgers, adding that her organization never comments on the content of any investigation.
A Google spokeswoman offered the same response the company has made since the beginning of CNIL's investigation: "Our privacy policy respects European law and allows us to create simpler, more effective services. We have engaged fully with the DPAs involved throughout this process, and we'll continue to do so going forward."
The six data protection authorities working on the case are all members of the Article 29 Working Party (A29WP), which brings together data protection authorities from across the European Union. Last year it mandated CNIL to begin an investigation on its behalf, after the company repeatedly refused to answer questions about its plans to introduce a new privacy policy.
CNIL published a report on Oct. 26 giving Google four months to comply with its recommendations. It failed to make any significant changes within that period, CNIL said Tuesday, and it is now up to the E.U.'s individual member states to take appropriate action based on its report.