“Formal enforcement action”
Here’s what the ICO said:
“We believe that the updated policy does not provide sufficient information to enable UK users of Google’s services to understand how their data will be used across all of the company’s products.
Unified policy, unified response
Thing is, the immediate enforcement action these authorities can take is relatively toothless, particularly for an adversary with deep pockets. We’re talking fines in the hundreds of thousands of euros – hardly enough to make a company like Google sweat. However, Google would be mistaken if it thought it could just brush off their concerns.
There are two reasons for this, the first being the ability of authorities such as ICO to go to the courts and seek a legal order forcing Google to change its ways. I know of no precedent in the UK for this, but the power is there and Google may find itself on the sharp end of it if the company carries on pretending there’s no issue.
The second reason may be more fundamental in the long term: we’re increasingly seeing data protection authorities coordinate their actions in response to companies, like Google, that operate on a cross-border basis. Although international laws do vary, this is even starting to happen at the global level.
Just look at the joint letter sent to Larry Page last month about potential privacy concerns around Google Glass. That letter was signed by data protection authorities from the EU, Canada, Mexico, Israel, Switzerland, New Zealand and Australia.
Privacy officials are clearly waking up to the concept of strength in numbers, not to mention the fact that they can respond more quickly to technological change by cutting down on duplicated efforts. It’s also much harder, even for a company with Google’s resources, to effectively lobby authorities that are all talking to one another.