Postscript 30 September 2013: see here for the CNIL press release stating that Google has failed to comply and shall be served an official enforcement notice.
I reported earlier on the referral to the ECJ of questions surrounding jurisdiction under the data protection Directive: the AG’s Opinion in that case, C-131/17 is due tomorrow (25 June). Last week, the French data protection authority (‘CNIL’) ordered Google to comply with the French Data Protection Act, within three months. That in itself of course is testimony to the French determination in their own national procedure. However the agency’s action is unusual in that it announces co-ordinated action between a wide variety of European data protection agencies. CNIL notes
‘The Data Protection Authorities from Germany, Italy, the Netherlands, Spain and the United Kingdom carry on their investigations under their respective national procedures and as part of an international administrative cooperation.
- The Spanish DPA has issued to Google his decision today to open a sanction procedure for the infringement of key principles of the Spanish Data Protection Law.
- The Data Protection Commissioner of Hamburg has opened a formal procedure against the company. It starts with a formal hearing as required by public administrative law, which may lead to the release of an administrative order requiring Google to implement measures in order to comply with German national data protection legislation.
- As part of the investigation, the Dutch DPA will first issue a confidential report of preliminary findings, and ask Google to provide its view on the report. The Dutch DPA will use this view in its definite report of findings, after which it may decide to impose a sanction.
- The Italian Data Protection Authority is awaiting additional clarification from Google Inc. after opening a formal inquiry proceeding at the end of May and will shortly assess the relevant findings to establish possible enforcement measures, including possible sanctions, under the Italian data protection law.’
Other than perhaps in competition law, such co-ordinated action among national authorities is rare. That it should be in data protection, confirms the relevance which Europeans and their legislators attach to the protection of personal data.