Google may face joint legal action from European countries over data protection concerns. The regulators could even sue to block Google from operating in Europe. Photograph: Britta Pedersen/EPA
Google could face fines from six European countries' privacy regulators, including the UK and Germany, after refusing to reverse changes to its privacy policies made in March 2012.
The search company has infuriated the regulators by declining to respond to their demands made over multiple months – even as research shows that user concerns about online privacy are high.
France's privacy body, CNIL, together with its counterparts in the UK, Netherlands, German, Spain and Italy, said on Tuesday they will take joint legal action involving an investigation and possible fines. The UK's information commissioner's office (ICO) can levy fines of up to £500,000 for breaches of the Data Protection Act. A decision is expected by summer 2013. CNIL could fine it up to €300,000 (£255,000).
However, even both fines added together would be less than Google generates in sales in 10 minutes. Yet the regulators could sue to block Google from operating in Europe – a move that would be highly damaging to its reputation.
Google's rival Facebook has been forced in the past to make a number of changes to its operation to comply with Europe's data protection laws, which are significantly tougher – but more fragmented – than those in the US.
The move comes while European competition regulators are separately trying to decide what action to take to prevent monopoly abuses by Google, which has about 95% of the European search market.
The decision will be the first big challenge for Google's new privacy director, Lawrence You, a software engineer based at Google's Mountain View headquarters in California – replacing London-based Alma Whitten, another engineer who was the first to have the job created in October 2010.
This is not unfamiliar ground for the new director – You worked with Whitten on combining the privacy policies together last year.
After an earlier data protection investigation concluded in October, CNIL said in a statement on Tuesday that "the EU Data protection authorities asked Google to comply with their recommendations within four months," . "After this period has expired, Google has not implemented any significant compliance measures."
The agencies complained of being stonewalled by Google for over a year about their concerns that its unification of more than 60 separate privacy policies last year could confuse users and leave them unsure how their data was being used.
"We put our concerns to Google [in October] and gave them a date to respond," said a spokesperson for the ICO. "They failed to respond. We had a meeting in March and Google was present, and gave them a deadline to respond. They failed to respond. Google has failed to address the concerns or take on board the recommendations from the meeting held last month."
A Google spokesperson said: "Our privacy policy respects European law and allows us to create simpler, more effective services. We have engaged fully with the data protection authorities involved throughout this process, and we'll continue to do so going forward."
Research published by the privacy pressure group Big Brother Watch in February revealed 68% of the British public expressed concern about their online privacy, with 22% of the total saying they were "very concerned". The same research found that 71% felt it was right for privacy regulators to investigate the changes in Google's privacy policy last year, and two-thirds said the regulators should do more to force Google to comply.
As the latest moves were announced on Tuesday, Nick Pickles, director of Big Brother Watch, said: "Google has repeatedly put profit ahead of user privacy and the way that the company ignored concerns from regulators around the world when it changed its privacy policy showed just how little regard it has for the law. Just because Google is a big business does not put it above the law. The company has ignored the authorities and refused to make any meaningful changes to how it collects and uses people's data."
"There is a wider debate going on about personal data and who owns and controls personal data," Colin Strong, a technology analyst with GfK, told the Associated Press. "The question is the extent to which consumers understand the value of their personal data and the extent that they are happy with the trade that they're getting."
Sources at Google told the Guardian that the company filed a response to the October recommendations in January, but added "no change [in privacy policies] isn't the same as no response".
The rolling-up of the policies sparked an investigation led by CNIL last year. Google's intent was to combine user data from the different services, so that videos watched on YouTube would inform the choice of advertising shown when doing Google searches or reading Gmail.
In October, CNIL and the other regulators criticised the changes, and demanded alterations. Google declined to do so.
Pickles said: "Consumers are increasingly concerned about how their data is being used, and it is essential that those breaking the law are properly punished. It is essential regulators find a sanction that is not just a slap on the wrists and will make Google's think twice before it ignores consumer rights again."
"No one is against Google's objective of simplicity. It's legitimate. But it needs to be accompanied by transparence for consumers and the ability to say yes or no," Isabelle Falque-Pierrotin, head of CNIL, said recently. "[But] consumers have the right to know how the information is being used and what's being done with it."