Google breached Dutch data protection laws by combining data on users of its different services, said the Netherlands’ privacy watchdog. The decision came after a seven-month investigation into changes Google made to its privacy policy.
The changes were made in March 2012 and meant Google gathered data on people who used more than one of its services. Google said it provided specific information to users about the data it collected on them.
In a summary of its findings, the Dutch Data Protection Authority (DPA) said that Google’s policy did not do enough to specify what it was collecting data for.
Dutch data laws do allow information to be gathered about individuals but only for a particular purpose or business goal. Because Google did not set out exactly what it was doing with data it was "acting in breach" of the country’s laws, said the DPA in a statement.
In addition, said the DPA, Google had not done enough to win consent from its users to grab data in the first place. The search giant had to work harder to get "unambiguous" consent from users to combine data.
Google had also failed to put in place good enough safeguards to ensure data about the same user across services was combined legitimately, added the DPA.
"Google spins an invisible web of our personal data, without consent," said Jacob Kohnstamm, DPA chairman in a statement. "That is forbidden by law."