The CNIL review could lead to financial penalties or administrative sanctions for the U.S. search giant, but it is not clear whether they would be imposed collectively or if individual states would seek their own fines. The CNIL can impose fines of up to 300,000 euros ($382,200), and other European regulators can levy higher penalties.
“All options are on the table,” said CNIL president Isabelle Falque-Pierrotin told Reuters in an interview.
“We are not totally satisfied with their responses so we have set up this meeting to discuss the issues with Google.”
Google has already provided a 94-page response to a CNIL questionnaire on the new policy, which took effect in March.
“We want to untangle the precise way that specific personal data is being used for individual services, and examine what the benefit for the consumer really is,” added Falque-Pierrotin.
Under the magnifying glass..
Under its new system, Google consolidated 60 privacy policies into one and completed its ability to pool the data collected on users across its services, including YouTube, Gmail and its social network Google+. The Mountain View, California-based search giant says this allows it to better tailor search results and improve services for consumers. Users are not allowed to opt out. The move was met with concern not only from Europe, but also from U.S. lawmakers and regulators as far afield as Japan, Canada and Argentina.
Anthony House, a Google spokesman, said the company welcomed the meeting with the CNIL and was confident its privacy notices “respected the requirements of European data protection law”.
“The meeting will give us chance to put things into context and explain the broader actions we are taking to protect our users' privacy,” he said.
The debate over data privacy comes at a delicate time for Google, whose business model is based on giving away free search, email, and other services while making money by selling user-targeted advertising.
It is already being investigated by the EU's competition authority over how it ranks search results and whether it favors its own products over rival services. The European Union is also in the process of writing a new law to tighten data protection online, which includes creating a so-called right to be forgotten. That would allow people under some circumstances to request the removal of data they had submitted or posted on websites. “Our aim is not to single out or demonise one technology company more than another,” said Falque-Pierrotin. “People are waking up to the fact that their whole lives are online and becoming more sensitive about it.”