The Dutch government is clamping down on the way in which large organisations use its citizen’s personal data.
The company has been given until the end of February 2015 to change how it handles personal data, especially in regard to the tailoring of adverts based on keyword search queries, video viewing habits, location data and the content of email messages.
Jacob Kohnstamm, chairman of the Dutch DPA, said:
Google catches us in an invisible web of our personal data without telling us and without asking us for our consent. This has been ongoing since 2012 and we hope our patience will no longer be tested.
Kohnstamm explained how, under Dutch law, Google should have informed users that it was gathering data across a number of platforms – such as YouTube and Gmail – and obtained permission before combining or analysing that data.
It also ordered the company to add clarification to the policy so that users are better informed as to how each of the company’s services is using their data.
Furthermore, Google is required to make it clear that YouTube is part of its setup, though the DPA did note that this already appeared to be underway.
Five other regulators – in France, Germany, Italy, Spain and the UK – have recently received a letter from Google detailing how it intends to comply with European privacy laws but the Dutch DPA says it has yet to establish whether the proposals will suffice within its own jurisdiction.
While the DPA’s gripe with Google awaits resolution, it has now moved onto fellow data gatherer Facebook.
The social network announced last month that it intends to make changes to its policy, effective from 1 January 2015.
As Facebook has a physical presence in the Netherlands, the DPA says it is authorised “to act as supervisor”, as per a European Court of Justice ruling on Google vs. Spain on 13 May 2014 (the ‘right to be forgotten‘ case).
The latest iteration of the policy states that Facebook can use:
your name, profile picture, content, and information in connection with commercial, sponsored, or related content (such as a brand you like) served or enhanced by us. This means, for example, that you permit a business or other entity to pay us to display your name and/or profile picture with your content or information, without any compensation to you. If you have selected a specific audience for your content or information, we will respect your choice when we use it.
Given how the key points of the policy have not changed since it was last revised in November 2013, it seems unlikely Facebook will comply with the DPA’s wishes.
According to The Telegraph, the company responded by highlighting how it is “a company with international headquarters in Dublin”, which routinely reviews its policies and procedures with its own regulator, the Irish Data Protection Commissioner.