Google lost another battle on the European regulatory front today when a German privacy commissioner ordered the Silicon Valley search giant to implement strict new controls on how it uses customers’ data.

The Hamburg Commissioner for Data Protection and Freedom of Information had originally ordered the changes last fall following an investigation launched earlier in 2014. Google filed an appeal of that decision, but the commissioner, while making some small modifications, overruled the objections and fundamentally upheld the previous decision.

“It’s now in Google’s hands to implement our stipulations, e.g. by a transparent mechanism for consent to process user data,” said Hamburg’s privacy commissioner Johannes Caspar in a statement. “I expect that this will continue to take place as part of a constructive dialogue and will ultimately result in the clear strengthening of the rights of users of Google’s services in Germany and across Europe as well.”

When the company merged its various services, such as Gmail, calendars and Google Drive, a couple of years ago, it also merged the privacy rules governing those services, a decision that triggered a wave of investigations across Europe.

In the original decision last fall, the Hamburg commissioner said Google must seek the explicit permission of users before merging all of their data into a single profile.

It seems the company is heading in just that direction.

Earlier this year, Google announced a settlement with U.K. regulators over privacy issues. And last month, the company presented proposed changes to a European working group of privacy commissioners who have all been reviewing Google’s privacy policies.

Still, the Hamburg office credited the pressure from European regulators with forcing the company to act, and said that the latest decision would help ensure that progress by Google continues.