The French data protection commission (CNIL) led the investigation and has been working with bodies in other nations to determine whether Google's policy violates EU privacy laws.
Google announced the unified policy back in January, a move that incorporated users' Gmail, YouTube, Blogger and other accounts, therefore allowing the company to combine user data across its products.
The search giant put the changes into action two months later, but failed to give users the opportunity to opt-out of the new policy.
Going for blood
The CNIL has given Google 'months' to put the changes into action; the search giant must give clearer information about what data it is collecting and why.
As such, the company is now reviewing CNIL's report.
The report requests three major changes from Google: it must let members choose what data is collected about them, offer an opt-out tool and finally the company must prove that users' data will only be used in ways they have consented to.
One London-based privacy lawyer interviewed by the publication said the EU may have appointed one of the tougher data protection agencies among member states in order to ensure maximum results.
"By putting the CNIL in charge of this, the EU was going for blood," Chris Watson of CMS Cameron McKenna told The Guardian. "It was a declaration of intent."
"The point is that Google is an international company which is leveraging its power in the browser and its other services in a way that affects national businesses all over the EU.
"There's great political importance in the data protection commissioners doing something, because if they think there's a breach and they don't do anything about it, what's the point of having them?"
"The EU's decision may create a domino effect and lead regulators in the U.S. and other parts of the world to impose similar restrictions on Google's ability to intermingle and monetise user data," said Bradley Shears, a U.S. based lawyer.
Jim Killock, of the Open Rights Group, welcomed the news. He said, "It's good to see European data protection authorities take action so that users gain control of their data.
"This must be backed by strong new data protection powers, for fines based on turnover, and rights to retrieve and to delete your data."
Via The Guardian