• by Sean Hargrave , Staff Writer, February 4, 2019

Google has already received a 50m Euro fine from CNIL, France's data watchdog, for a complicated privacy policy that it believes contravenes GDPR. Today, news is breaking that the ICO in London is also investigating a rise in the number of privacy complaints against Google since GDPR became law. It has said this spike could be due to people now having a better awareness of privacy since last May's change in the law.

The watchdog has confirmed it is liaising with other privacy regulators across the EU to discuss "possible next steps."

As the widespread reporting of the previous massive fine from Paris, which Google has already said it will contest, seems to centre on a highly complicated privacy policy that cannot be understood and, reports suggest, is spread across different pages.

There have even been reports of assumed opt-in in parts of the policy that seem very odd, if it is proven correct, considering it was a basic concept of GDPR that all consent needed to be given by clear action from a consumer.

This morning's Telegraph article also hints at the big faux pas I immediately thought Google had made -- and perhaps others have too -- but for now we're on the subject of Google.

The day after GDPR became law nearly nine months ago, there were instant reports that consent was being forced. It was all a case of take it or leave it.

That was certainly how I felt when consenting to Google. I must say Facebook kind of gave me the same feeling too, although if I were a privacy black belt I may have been able to plough through the privacy notice to get more control.

On first inspection, and let's stick with the case in hand, Google just seemed to be saying, accept this or go away. It's was a "my way or the highway" type of consent. There was no clearly visible means of understanding decisions and working out what the service would have been like with or without giving consent to different aspects of its service.

The ICO's guidance that brands should be "granular," "clear" and "concise" seems to not have been followed as well as it might have been. It is also difficult to find how consent can be withdrawn after it has been granted -- another major point with GDPR.

Another part of the spirit of GDPR, and I'm pretty sure it was the letter of the law too, is that people shouldn't be punished in any way for not giving consent. This is an area that privacy watchdogs will have to look at.

Was there a way Google could have not lumped consent together and make it appear like it was being forced upon people? Could it have been unpicked so people could give consent to ensure they continue watching YouTube and enjoying Gmail, for example, without handing over every aspect of consent though clicking "ok" once?

It will take a lot of unravelling for someone to get in there and unpick how Google's new privacy works. 

The bad news for Google is that this is now happening, and not in Ireland where it is based, but instead the multiple countries where its services operate across the EU.

The ICO has revealed that it is talking with other regulators across the EU -- and that cannot be welcome news for Google. It already has a massive pair of fines from the European Commission totalling 6.7bn Euros for anti-competitive behaviour and now faces the 50m Euros fine from CNIL being repeated in London and beyond.