France's Commission Nationale de l'Informatique, working on behalf of the EU's 27 national data regulators, said on Tuesday it had found legal flaws with a new approach to user data that Google adopted in March.
Among CNIL's concerns was the way the U.S. group combines anonymous data from users' browsing histories across its services to better target advertising.
Google may face disciplinary action at a national level
CNIL president Isabelle Falque-Pierrotin said regulators were prepared to talk to Google, adding: “If Google does not conform in the allotted time, we will enter into the disciplinary phase”.
Some national data protection regulators including those in Belgium, France and the Netherlands have, in the past, imposed fines on companies that have breached rules. Such sanctions cannot be imposed EU-wide.
When Google was found to have broken data protection rules after its Street View cars collected unauthorised data on public wifi networks in 2010, it faced dozens of separate cases.
In that episode, Google was fined 100,000 eurosby the French watchdog and the Netherlands threatened a 1 million euro fine if it did not change its policy.
Google's new approach to data, which consolidated 60 privacy policies into one, allows the pooling of information collected on individual users across its services, including YouTube, Gmail and the Google+ social network. Users cannot opt out.
Jacob Kohnstamm, the Dutch data protection boss and head of the working group of EU data protection regulators, said it was the first time regulators had cooperated on an investigation.
“Since internet companies know no borders, it is indispensable that data protection work together,” he said.
Chris Watson, a lawyer at CMS Cameron McKenna LLP, said: “How the case turns out will be an important test case of Europe's (EU) ability to enforce its point of view on online privacy”.