In an unprecedented move, the European Union's national data protection regulators have asked Google to make changes to its new privacy policy to protect the rights of its users.

The request was made in a formal letter sent on Tuesday (16 October) by the EU's Data Protection Authorities united within the so-called Article 29 Working Party. The letter was signed by 24 of EU's 27 data regulators plus those of Croatia and Liechtenstein.

Leading the inquiry on behalf of Europe, France's data protection watchdog – the Commission Nationale de l'Informatique et des libertés (CNIL) –  had already questioned the legality and fairness of Google's new privacy policy, introduced in March.

This consolidated 60 privacy policies into one and pooled data collected on individual users across its services, including YouTube, Gmail and its social network Google+. Users cannot opt out.

The regulators' letter said: "Combining personal data on such a large scale creates high risks to the privacy of users."

"The investigation showed that Google provides insufficient information to its users [including passive users], especially on the purposes and the categories of data being processed," the regulators wrote.

Regulators said the investigation "confirmed our concerns about the combination of data across services," saying Google's new Privacy Policy, released on 27 July, allows it to "combine almost any data from any services for any purposes".

"Google empowers itself to collect vast amounts of personal data about internet users, but Google has not demonstrated that this collection was proportionate to the purposes for which they are processed," the letter says.

"Therefore, Google should modify its practices when combining data across services for these purposes," the letter said.

Google did not immediately react.

In the past, the company has said the changes would allow it to tailor search results more accurately and improve services for consumers. Google has also said previously it is confident that its privacy policy does not run foul of European law.

In the letter, the regulators listed 12 "practical recommendations" for Google to bring its privacy policy into line. The first five cover how Google tells people about how their personal information and browsing records will be used, highlighting location data and credit card data in particular.

The regulators also want Google to spell out its intentions and methods for combining data collected from its various services. They want the web search giant to ask users for explicit consent when bundling data together, the letter said.

Online ads

The pooling of anonymous user data across Google services, is a big advantage when selling online ads.

Google and other large internet groups like Facebook provide free services to consumers and earn money from selling ads that they say are more closely targeted than traditional TV or radio campaigns.

Chris Watson, a lawyer at CMS Cameron McKenna LLP, said "Google is being very aggressive and are playing for high stakes because these [privacy policy] changes are very valuable to their advertising business."

"They may be prepared to test the legal position in Europe to see what they can get away with."

The tussle with the EU over data privacy comes at a delicate time for Google.

Europe's antitrust authorities are also examining the company's business model to see if it uses its clout in search advertising to favour its own services over competitors' offerings. Google is in talks with EU regulators on the case, and could offer concessions.