Google's "new" privacy policy, launched a little over a year ago, is still causing headaches in Europe. But a new pan-European investigation into the policy may cause greater troubles for the search giant.

The French data protection authority, the Commission Nationale de l'Informatique et des Libertes (CNIL), said today that the search giant has failed to respond to its requests to make changes to its controversial privacy policy and has handed the case to European member states to deal with the matter locally.

The U.K., France, Germany, Italy, Spain, and the Netherlands were first involved in the examination of the new privacy policy -- which merged approximately 60 policies for Google products and services into one single policy.

In doing so, it could open Google to multiple fines at a local level in the coming months and quarters, once each authority has concluded its investigation into its privacy practices.

Speaking to ZDNet, the U.K.'s Information Commissioner's Office said that an investigation was under way and in its early stages. An ICO spokesperson said the organization would determine whether or not Google's year-old policy breaches the U.K. Data Protection Act.

Due to the ongoing investigation, the ICO declined to comment further.

The ICO can serve a maximum £500,000 ($758,000) fine against a company that breaches U.K. data and privacy laws. Each data protection authority would have to enact their fines separately, and maximum fines vary by region.

A Google spokesperson in London said in an emailed statement: "Our privacy policy respects European law and allows us to create simpler, more effective services. We have engaged fully with the [data protection authorities] involved throughout this process, and we'll continue to do so going forward."

Not 'in compliance' with European law?

On March 1, Google's new privacy policy took effect. The search giant said it would make its products better and enhance the experience for users, while making advertisements more targeted, allowing for more specific and relevant ads for users.

While Google repeatedly said in statements that it takes the privacy of its users seriously, its balance sheets showed that it still rakes in most of its annual profits through serving ads to its users.

But for the European authorities, Google remains a big target with more than 90 percent market share on the continent.

However, European data regulators warned Google to put the changes on ice after they claimed the new policy may breach European data protection laws. Google said the raising of concerns was a "surprise" and remained on course with its March 1 deadline.

Members of the Article 29 Working Party, a group of data protection officials from each of the member states, charged France's CNIL with investigating the search giant to determine whether or not Google had fallen foul of EU data and privacy laws.

The outcome was initially expected in September of last year, but was revealed in mid-October. The EU body found that Google's new privacy policy may not be "in compliance" with European data and privacy law and that "irregularities were found."

The authority fell short of ruling on whether the new policy was outright in breach of its laws, however.

The 27 European authorities "unanimously adopted the findings of the audit" and gave Google three to four months to comply with the CNIL's recommendations, a buffer that expired in mid-March.

On March 19, Google was invited to a meeting headed by the CNIL and the data protection authorities of the six other European member states, but "no changes have been seen since," the French authority said.

This story originally appeared as "Google faces EU state fines over privacy policy merger" on ZDNet.