Spain – Spanish DPA informs EU DPAs of Google privacy policy progress - DAC Beachcroft

All Collections

Sort By

Related Articles

Spain – Spanish DPA informs EU DPAs of Google privacy policy progress's Tags

Tags related to this article

Spain – Spanish DPA informs EU DPAs of Google privacy policy progress

Published On: 1 February 2016

What does this cover?

On 16 December 2015 the Spanish Data Protection Agency (DPA) participated in a plenary meeting with the European Data Protection Authorities within the Article 29 Data Protection Working Party (WP29). The WP29 discussed the progress made in national proceedings in respect to the unified privacy policy launched by Google in 2012.

In the Spanish case the proceedings terminated in December 2013 declaring the existence of three serious infringements of the Spanish Data Protection Law (the DPL) imposing a fine amounting to EUR 900,000 and making a request to Google to take the necessary steps to amend its privacy policy in compliance with Spanish law.

During the proceedings it was demonstrated that Google collected personal information through nearly a hundred services and products offered in Spain, in many cases not providing adequate information about what data were collected, the purposes it was used for and without obtaining a valid consent of data subjects. In addition, Google combined the personal information obtained through the different services or products in order to use it for multiple purposes that were not clearly determined, thus violating the prohibition to use data for purposes other than those for which those data were collected. Moreover, Google stored and maintained data for periods of time indeterminate or unjustified, thereby contravening the legal requirement to delete data when it ceases to be necessary for the purpose for which it was collected. The DPA concluded that Google hindered, and in some cases prevented, the exercise of the data subject rights of access, rectification, cancellation and opposition.

The DPA demonstrated that Google unlawfully collected and processed personal information of both authenticated (those who log into their Google accounts) and non-authenticated users, as well as of those who act as “passive users” because they have not requested Google’s services but accessed web pages that included elements managed by Google.

During the WP29 meeting, the DPA informed those present that it has been examining the evolution of Google's privacy policy over the past year. In this regard, the DPA has found that Google has implemented significant changes in terms of information provided to users, consent and exercise of rights. Google has agreed to adopt a number of additional measures specifically requested by the DPA, such as increasing the list of services with specific privacy policies and the extension of privacy reminders campaigns both to other Google products and to Android users. One of the commitments adopted by the company is to maintain an ongoing dialogue with the DPA on the implementation of new measures and to report any changes that may affect the privacy of citizens.

The WP29 agreed to continue the coordinated action initiated in this respect by the DPAs of Germany, Spain, France, Holland, Italy and the UK.

A press release from the Spanish DPA is available here (Spanish).

Article submitted by Irene Robledo de Castro, Spanish counsel – Spain

What action could be taken to manage risks that may arise from this development?

None – for information only.

 

Beta