Google is facing enforcement action — and possibly fines — in six European Union member states after it failed to make changes to its privacy policy following requests by European data protection regulators. The six countries that have today launched data protection investigations into Google’s unified privacy policy are France, Germany, Italy, the Netherlands, Spain, and the U.K.
The UK’s Information Commissioner’s Office gave the Verge the following statement confirming it has launched an investigation into whether the policy infringes national law:
The ICO has launched an investigation into whether Google’s revised March 2012 privacy policy is compliant with the Data Protection Act. The action follows an initial investigation by the French data protection authority CNIL, on behalf of the Article 29 group of which the ICO is a member. Several data protection authorities across Europe are now considering whether the policy is compliant with their own national legislation. As this is an ongoing investigation it would not be appropriate to comment further.
Back in February, the French data protection regulator, CNIL, called out Google for failing “to come into compliance” within the four month period set out by the original October report into the policy, conducted by the Article 29 Working Party — and said Mountain View would therefore face additional action. Representatives of Google met with the CNIL-led taskforce last month but, according to CNIL, “following this meeting, no change has been seen” — thereby triggering today’s national actions.
The CNIL’s release states:
It is now up to each national data protection authority to carry out further investigations according to the provisions of its national law transposing European legislation. Consequently, all the authorities composing the taskforce have launched actions on 2 April 2013 on the basis of the provisions laid down in their respective national legislation (investigations, inspections, etc.)
In particular, the CNIL notified Google of the initiation of an inspection procedure and that it had set up an international administrative cooperation procedure with its counterparts in the taskforce.
Disrupt 2026: The tech ecosystem, all in one room
Your next round. Your next hire. Your next breakout opportunity. Find it at TechCrunch Disrupt 2026, where 10,000+ founders, investors, and tech leaders gather for three days of 250+ tactical sessions, powerful introductions, and market-defining innovation. Register now to save up to $400.
Save up to $300 or 30% to TechCrunch Founder Summit
1,000+ founders and investors come together at TechCrunch Founder Summit 2026 for a full day focused on growth, execution, and real-world scaling. Learn from founders and investors who have shaped the industry. Connect with peers navigating similar growth stages. Walk away with tactics you can apply immediately
Offer ends March 13.
This latest brush with Europe’s data protection watchdogs was triggered by Google’s action last year to consolidate more than 60 separate product privacy notices into one unified policy. After an investigation, European privacy regulators published a list of privacy recommendations for Google, including suggesting the company should make it clearer to users how their personal information may be used, and how it is collected and collated from different services. They also wanted Google to offer users an opt-out. It is these recommendations that Google has apparently failed to comply with, resulting in today’s actions.
Google provided TechCrunch with the following statement regarding the latest stage of the CNIL-led action: “Our privacy policy respects European law and allows us to create simpler, more effective services. We have engaged fully with the DPAs involved throughout this process, and we’ll continue to do so going forward.”
It’s unclear whether the European action contributed to the departure of Google’s director of privacy Alma Whitten, announced yesterday.
