After this period has expired, Google has not implemented any significant compliance measures.
Following new exchanges between Google and a taskforce led by the CNIL, the Data Protection Authorities from France, Germany, Italy, the Netherlands, Spain and the United Kingdom have respectively launched enforcement actions against Google.
The investigation led by the CNIL has confirmed Google’s breaches of the French Data Protection Act of 6 January 1978, as amended (hereinafter “French Data Protection Act”) which, in practice, prevents individuals from knowing how their personal data may be used and from controlling such use.
In this context, the CNIL’s Chair has decided to give formal notice to Google Inc., within three months, to:
This formal notice does not aim to substitute for Google to define the concrete measures to be implemented, but rather to make it reach compliance with the legal principles, without hindering either its business model or its innovation ability.
If Google Inc. does not comply with this formal notice at the end of the given time limit, CNIL’s Select Committee (formation restreinte), in charge of sanctioning breaches to the French Data Protection Act, may issue a sanction against the company.
The Data Protection Authorities from Germany, Italy, the Netherlands, Spain and the United Kingdom carry on their investigations under their respective national procedures and as part of an international administrative cooperation.