Google’s practice of combining personal data from different Google services violates the Dutch data protection act, the Dutch data protection authority (DPA) said Thursday. But Google will not face any enforcement actions for now.
“The investigation shows that Google does not properly inform users which personal data the company collects and combines, and for what purposes,” it said. By doing this, Google “spins an invisible web of our personal data, without our consent,” which is forbidden by law, the DPA said.
“It is almost impossible not to use Google services on the Internet,” the DPA said. Many Internet users in the Netherlands use Google’s search, watch videos on YouTube or use Gmail while Google also collects data from people that do not use Google when they visit one of the over 2 million sites worldwide that use its advertising cookies, it added.
Some data is sensitive and can be used by Google for its own purposes, the DPA said. “Data about search queries, location data and videos watched can be combined,” it said, adding that Google does not adequately inform users about the combining of their personal data from all these different services and what it does with it.
While Google violates the law, the DPA will not immediately result to enforcement measures, it said. Google was invited to attend a hearing after which the DPA will decide if such measures are necessary.
“We have engaged fully with the Dutch DPA throughout this process and will continue to do so going forward,” Google added.