While the new policy is exemplary in its clear language, the issues the CNIL enumerates are not so arcane as to concern only specialists in data privacy law.
While all this sounds like formalities, complying with EU data privacy law is all about formalities. Google should know this better than anyone today, especially considering the level of expertise they have in data privacy matters.
As it is, Google has (for simplicity’s sake, one would surmise) used a negative definition of what it will not do with an individual’s personal data. From a philosophical point of view, this is a bit like the difference between Civil and Common Law conceptions of liberty. For Civilists, a right doesn’t exist unless it is enumerated. Civilists like things written down.
I think that we’ll likely see more PR pushback from Google in the next few weeks until their global data privacy counsel can talk his colleagues and clients into conceding that their new policy could use a few links to deeper explanations to be compliant with EU law. Google wants to be a good European, after all.