But just because the EU put Google on the ropes didn’t mean that they were going to start pulling punches. The letter continues to scold Google the way a sagacious parent might discipline a crass, ill-tempered child.
The fact that Google informs users about what it will not do with the data (such as sharing personal data with advertisers) is not sufficient to provide comprehensive information either.
Rather than promoting transparency, the terms of the new policy and the fact that Google claims publicly that it will combine data across services raises fears about Google’s actual practices. Our preliminary investigation shows that it is extremely difficult to know exactly which data is combined between which services for which purposes even for trained privacy professionals.
The CNIL and the EU data protection authorities are deeply concerned about the combination of personal data across services: they have strong doubts about the lawfulness and fairness of such processing, and about its compliance with European Data Protection legislation.
To that last note, Peter Fleischer, Google’s global privacy counsel, said, “We have notified over 350 million authenticated Google users and provided highly visible notifications on our home page and in search results for our non-authenticated users. To pause now would cause a great deal of confusion for users.”