Google collects and combines "vast amounts of personal data about internet users" without fully warning its users or justifying the need to have all that information, according to a European Union-led investigation into its new privacy principles.

A report found Google users often do not know how much personal data is collected, stored and combined from multiple sources for Google's own advertising, marketing and research purposes.

A working group of Europe's data protection commissioners wrote to Google's co-founder and chief executive, Larry Page, voicing concerns about the new privacy policy released by Google in March that "allows [it] to combine almost any data from any services for any purposes".

They argue there are no contracts between Google and its users that "justifies this large combination of data" and there is no opportunity for ordinary users to control which information is combined.

The letter was delivered in the same week as Google's share price dived 9 per cent after its revenue and income failed to meet analyst expectations because it took in less advertising revenue and its expenses increased.

Google's global privacy counsel Peter Fleischer said it was was reviewing the report.

"Our new privacy policy demonstrates our long-standing commitment to protecting our users' information and creating great products. We are confident that our privacy notices respect European law," he said.

Google's new privacy policy replaced 60 different documents and was welcomed because the world's largest search engine is now providing more transparency than before. However, the increased transparency also raised new concerns.

Australia's Privacy Commissioner, Timothy Pilgrim, conducted a review of the new privacy principles and fully supports the European's findings and recommendations.

"I think it was a good demonstration that Google were prepared to be transparent and an admirable approach that other organisations should think about doing. [It] highlights what is happening with people's personal information. This is useful because I don't think a lot of people were aware of how much information is collected about them via Google across its various platforms."

He says internet users should always read a website's privacy policy - even if it is wordy and cumbersome.

The investigation found Google collects and combines personal data from multiple sources, such as Google+ accounts, Gmail accounts (including email content), web searches, and YouTube searches to build individual profiles, and uses the information for targeted advertising.

Meanwhile passive Google users - those without an account who perform simple searches, or use Google maps or YouTube - are "generally not informed that Google is processing personal data, such as IP addresses and cookies".

IP addresses identify which computer is being used while "cookies" are small pieces of data sent by websites - in this case Google - that are stored in a user's browser. Every time users revisit Google the cookie provides Google with information about previous activity.

The EU working party recommends Google provide detailed information on the exact purposes for collecting personal data such as their location, credit card information, telephone numbers, and unique device identifiers. They also recommend Google provide simpler opt-out mechanisms.

"Google should seek consent from the data subjects for the combination of data for these purposes and provide additional controls to users regarding these combinations," the Data Protection Working Party noted in its final report.

Employees in companies using Google Apps may have no choice but to use it, and their "consent may therefore not be valid". Google should also limit how much information it reaps from these users, the report recommends.

Other recommendations include: clearly informing users they can use Google accounts without providing their real name; and mentioning that biometric data (facial recognition) may be used and that Google should explain how it collects and stores face templates.