Of Men and Mice: Should the EU Data Protection Authoritiess Reaction to Google's New Privacy Policy Raise Concern for the Future of the Purpose Limitation Principle?

Abstract

Google’s announcement in January 2013 that it intended to revise and consolidate its privacy policy sparked an almost immediate reaction from EU data protection regulators. Concerned what the changes could mean for internet users given Google’s dominance within the EU not only of the market in online search but also in other online sectors, the Article 29 Working Party launched an investigation into the new policy and its compliance with EU data protection law. The new policy granted Google broad new powers to combine personal data collected via its different services and to use them for a wide range of purposes. In doing so the policy does not distinguish between personal data Google already held at the time the new policy came into force and data that it collected afterwards. Under EU data protection law, data controllers must process personal data in compliance with the limitation This means that personal data can only be collected for specified, explicit and legitimate purposes and must not be further processed in a way incompatible with those purposes. This article explores whether or not Google’s new privacy policy complies with the purpose limitation principle and the way in which EU data protection authorities have reacted to its implementation at EU and national level at a time when the EU data protection framework as a whole is under review.