In a letter to Google CEO Larry Page dated March 16, the Commission Nationale de l‘Informatique (CNIL) asked Google to explain what it will do with user data it collects, how long it will store it and whether it will be linked to the person’s real identity, as well as the legal justification for its approach.
The CNIL is leading an investigation on behalf of data protection regulators in Europe’s 27 member states, and it has already said it has “strong doubts” that Google’s new approach to privacy complies with European law.
Among the issues the CNIL raises is whether Google will track people using mapping or search on their smartphones, and whether the company will collect information stored on the phone such as contacts in the address book.
The regulator also seemed particularly concerned about Google’s plan to share the data it collects on users across its services, asking 21 out of 69 questions about such sharing and their legal basis.
The U.S. company also said it will pool data it collects on individual users across its services, allowing it to better tailor search results and improve service.
Users cannot opt out of the new policy, which took effect in early March, if they want to continue using Google’s services.
The move sparked the European investigation as well as concern from Japanese and U.S. officials.
The tussle over data privacy comes at a delicate time for Google, whose business model is based on giving away free search, email, and other services while making money by selling user-targeted advertising.
It is already being investigated by the EU’s competition authority and the U.S. Federal Trade Commission over how it ranks search results and whether it favors its own products over rival services.
Google is also operating under a so-called “consent decree” that resulted from a settlement with the FTC reached last year over its handling of privacy around its botched roll-out of social network Buzz. It must submit to privacy audits every two years for 20 years.
The European Union is in the process of writing a new law to tighten data protection on-line, which includes creating a so-called right to be forgotten to allow people under some circumstances to request to have data they submitted or posted on websites removed.
Google did not respond to a request for comment.
Editing by David Holmes