- The provision of services where the user requests the combination of data e.g. Contacts & Gmail (case 1)
- The provision of services requested by the user but where the combination of data applies without the user’s direct knowledge e.g. search results personalization (case 2)
- Security purposes (case 3)
- Product development and marketing innovation purposes (case 4)
- The provision of the Google Account (case 5)
- Advertising purposes (case 6)
- Analytics purposes (case 7)
- Academic research purposes (case 8)
While the report recognizes the legality of data combination in some fields, it claims that Google is in violation of EU data protection regulation in cases 2, 4, 6, and 8 as there is "no valid consent" from users. This data combination violates the "fundamental rights and freedoms of the data subject," and if Google wants to continue collecting data in this manner it "should seek consent from the data subjects" for these specific purposes and provide additional controls for its users to manage what data Google collects.
Google's data combination violates users' fundamental rights and freedoms
Another area that the investigation highlighted is data retention. According to the report, Google refused to provide either a maximum or typical figure for how long it keeps user data. This led regulators to question the effectiveness of opt-out mechanisms and user deletion requests, and the watchdog has requested that Google set maximum retention periods for the data it collects.
The report also notes that Google does very little to reach out to mobile users and explain what data is being collected from them, and asks that all information Google provides be adapted for mobile. In the future, it wants Google to engage with data protection authorities when it develops services that may have privacy implications.
The watchdog closes its letter to Larry Page saying its "recommendations do not seek to limit the company’s ability to innovate and improve its products, but rather to strengthen users’ trust and control, and to ensure compliance with data protection legislations and principles." It asks the CEO to respond to its letter explaining how and when it will implement the watchdog's recommendations. Google has yet to (publicly) respond to the EU's request.