In March 2012 Google changed its Privacy Policies much to the dissatisfaction of many countries in the EU, but in spite of the complaints Google has not changed its Privacy Policies. In October 2012 a letter was sent to Google demanding changes within 4 months by CNIL (Commission nationale de l’informatique et des libertés). Then in April 2012 after Google failed to change its Privacy Policies France, Germany, Italy, the Netherlands, Spain, and the United-Kingdom declared they would pursue their own claims.

Yet little has happened until now. On June 10, 2013 the CNIL issued an order to Google to comply with the French Data Protection Act within 3 months which included the following:

  • Define specified and explicit purposes to allow users to understand practically the processing of their personal data;
  • Inform users by application of the provisions of Article 32 of the French Data Protection Act, in particular with regard to the purposes pursued by the controller of the processing implemented;
  • Define retention periods for the personal data processed that do not exceed the period necessary for the purposes for which they are collected;
  • Not proceed, without legal basis, with the potentially unlimited combination of users’ data;
  • Fairly collect and process passive users’ data, in particular with regard to data collected using the “Doubleclick” and “Analytics” cookies, “+1” buttons or any other Google service available on the visited page;
  • Inform users and then obtain their consent in particular before storing cookies in their terminal.

Given the recent revelations of PRISM this order is even more fascinating, and depending upon what Google does in response to this order may help frame privacy in France for years to come.