Google sent responses to half of the questions asked by France’s Commission Nationale de l‘Informatique (CNIL) about three weeks ago in the form of an 18-page letter and a lengthy annex. It will provide the rest by April 15.
The CNIL will then analyse the responses in its role as leader of the investigation on behalf of data protection regulators in Europe’s 27 member states. The CNIL has already said it has “strong doubts” that Google’s new approach to privacy complies with European law.
The French data protection watchdog in March asked Google to explain what it will do with user data it collects, how long it will store it and whether it will be linked to the person’s real identity, as well as the legal justification for its approach.
Jacob Kohnstamm, who heads the Netherlands’ data protection authority and the pan-European advisory body that gathers all such regulators, told Reuters that the investigation could lead Google to face a range of sanctions.
The CNIL can either issue an administrative caution, giving the company anything from a week to a few months to rectify its actions, or impose an outright fine, Kohnstamm said, explaining that many countries in the EU approach breaches differently.
Google’s global privacy counsel Peter Fleischer said in his letter to the CNIL that the company was committed to providing users with comprehensive privacy information and willing to meet European regulators to explain its approach.
“We are convinced that the overall package of our privacy notices respects completely the requirements of European data protection law,” wrote Fleischer.
The U.S. company also said it will pool data it collects on individual users across its services, allowing it to better tailor search results and improve service.
Users cannot opt out of the new policy, which took effect in early March, if they want to continue using Google’s services.
The debate over data privacy comes at a delicate time for Google, whose business model is based on giving away free search, email, and other services while making money by selling user-targeted advertising.
It is already being investigated by the EU’s competition authority over how it ranks search results and whether it favours its own products over rival services. EU Competition Commissioner Joaquin Almunia said last month he would decide whether to formally charge Google after Easter on April 8 or drop the investigation which began in 2010.
The European Union is also in the process of writing a new law to tighten data protection online, which includes creating a so-called right to be forgotten. That would allow people under some circumstances to request the removal of data they had submitted or posted on websites.
Among the issues the CNIL raised in its questions was whether Google will track people using mapping, search their smartphones, or use facial recognition technology on users’ photos.
In the first batch of responses to the CNIL, Google said that it did gather and process location data on its users when they used services such as Google Maps and social network Google+ but that it was on an opt-in basis.
As for the facial recognition feature, dubbed ‘Find my Face’, Google said it was purely optional and users of the social network can easily turn it off.
CNIL also asked 21 out of its 69 questions about Google’s plans to share the data it collects on users across its services, but Google has not yet responded to them.
The tussle is set to continue as the two sides trade barbs via public letters.
“We find it disappointing that some regulators publicly express doubts of lawfulness without having accorded us any chance to engage on the issues of concern,” the group wrote, adding that it had given pre-briefings to 18 regulators.
Kohnstamm, the Dutch data protection chief, hit back saying it was not his job to host “a cup of tea and a chat” for companies. “I am not going to give advice to Google and do so on taxpayers’ money,” he said.
Reporting by Leila Abboud and Claire Davenport; editing by Keiron Henderson and Richard Chang