«

»

Analysis: Four important consequences of the French ruling against Google

Slide2

By Simon Davies

Earlier today the French national privacy authority CNIL issued a ruling that put Google on notice that it is in breach of national data protection law. The authority has given the advertising giant three months to bring itself into legal compliance.

This is a direct reflection of previous concerns expressed by regulators that amalgamation of all data across the ecosystem will eliminate the ability of consumers to have direct say over how their information is used, by what entities and for which purposes.

CNIL’s position is that Google’s new privacy policy – permitting the company to amalgamate data across all its products and services – breaches law because it “prevents individuals from knowing how their personal data may be used and from controlling such use”.

This is a direct reflection of previous concerns expressed by regulators that amalgamation of all data across the ecosystem will eliminate the ability of consumers to have direct say over how their information is used, by what entities and for which purposes. This view reinforces a data protection principle known as “functional separation” which has widely been upheld as a core safeguard over data. Google’s new policy is the antithesis of functional separation.

There are four important implications of the French ruling. The first is that it is clearly symptomatic of a common EU-wide position being adopted by national regulators. Last week’s ruling by the Swedish data protection authority – banning public sector use of Google cloud services – was based on precisely those concerns, albeit centred on loss of control by authorities themselves.

I understand that the Swedish regulator had consulted with colleague authorities across Europe before issuing its decision. Both Denmark and Norway have taken action on Google cloud services in the recent past.

The timing of CNIL’s judgment is important. The authority notes that both Spain and Germany have decided to commence formal infringement procedures against Google. Given previous form, I would expect the Netherlands to adopt a similar position very soon. Italy – in my view – is likely to follow suit at some point later.

The UK Information Commissioner is the wild card. Until now the ICO has not taken any serious action against Google, even though it had numerous opportunities to pioneer enforcement action. On Street View and on the Street View WiFi grab – as with GMail and the new privacy policy – the ICO has been well positioned to take a strong position, but has so far declined to do so.

Nonetheless – even without a strong position from the UK or Ireland – the tide of regulatory opinion will almost certainly swing against Google throughout mainland Europe.

The ICO has traditionally taken a pragmatic and business-friendly approach to regulation, preferring to rely on “education” rather than penalties. The vast majority of penalties handed out by the UK regulator have been to local government authorities that are unwilling or incapable of appealing.

The UK government’s pivotal role in derailing the most controversial rights in the proposed EU data protection regulation has a partial nexus to this philosophy. While the ICO may itself not lobby energetically to dissuade other regulators from taking a strong stance against Google, its position will by default influence some regulators. The Irish authority will almost certainly take a similarly pragmatic position, certainly in light of its own government’s stated position as holder of the current Council Presidency.

Nonetheless – even without a strong position from the UK or Ireland – the tide of regulatory opinion will almost certainly swing against Google throughout mainland Europe. Possibly the only defence left to Google will be to assert that there’s no evidence it is actually amalgamating data and that regulators have acted unlawfully if they move to issue financial penalties.

However, UK law provides for disclosure orders of company documentation as part of civil proceedings against against the company for breach of privacy. Google would face contempt charges if it failed to produce operational information demanded by the courts. Such brinkmanship would be a risky game for the company.

National governments and the European Commission – bound by strict ethical rules for contracts – may be unable or unwilling to enter into enterprise agreements with the company.

Related to this consequence would be the imposition across Europe of rolling fines. There’s usually a relatively low ceiling for these (in the case of CNIL, 300,000 euros) but certainly in light of the current public mood on privacy issues the trust corrosion would be significant.

The second consequence of the French ruling is that some countries have a legislative nuclear option to suspend the processing of data. Spain is one such country. While monetary penalties may be limited, the ability to take action to suspend services would have significant consequences for the company. Such action would be controversial, but the power to do so exists – even if just in the theoretical realm.

The third consequence is one that should be of deep concern to Google. The immediate financial impact on the company could go well beyond any possible fines. National governments and the European Commission – bound by strict ethical rules for contracts – may be unable or unwilling to enter into enterprise agreements with the company. This would apply equally to the education sector as well as to any public/private partnership enterprises.

Governments require all service providers to warrant that they respect and comply with data protection law. In the current circumstances governments would most likely be required to exclude Google from consideration for contracts. The immediate effect – and the fallout – from this situation would be perilous to the company.

The fourth consequence is one that could not have been anticipated until the past couple of weeks. Public sentiment about data and data protection has reached possibly its most intense level for many years. European Commission leaders are on the warpath over the actions of companies such as Google in lobbying to diminish rights under the proposed new regulation.

Almost certainly much of the hard work the company has done to achieve the pro-business position of the EU Council will unravel. If Google refuses to abide by lawful rulings by Europe’s regulators it may trigger a polemic that may be very damaging to the company’s reputation and interests. Intransigence could result in a backlash amongst MEP’s that will reinstate such measures as the Right to be Forgotten.

However these consequences pan out, Google’s prospects in Europe are not quite as strong as they were this time yesterday.