By Simon Davies
Europe’s privacy and data protection regulators have launched a substantial attack on Google, mauling the advertising giant’s business practices. The letter, signed by almost all EU regulators, accuses Google of illegality and calls into question the viability of the company’s current operations within the European legal environment.
Historically, Google has tested the limits of EU data protection
EU data protection authorities had expressed concern that the new policy may breach several provisions of law. Article 29, acting on behalf of all EU regulators, then requested that CNIL investigate the matter.
This is a quite brutal communique that goes to the heart of Google’s operations and policies. It challenges some key elements of Google’s business model and it condemns not just the company’s practices, but also impugns its’ ethical compass.
Google’s spin is that the letter is nowhere near as harsh as the company had expected – indeed it is little more than a set of recommendations and a couple of criticisms. Observers must understand, says the company, that the letter should be viewed in the context of a much more warm and cooperative relationship between Google, CNIL and Article 29 than existed at the beginning of the year when open criticism from CNIL was particularly harsh. Google asserts that nowhere in the letter was there even a suggestion that the company is acting unlawfully. Go on home folks; nothing to see here.
The reality is somewhat more dramatic. This is a quite brutal communique that goes to the heart of Google’s operations and policies. It challenges some key elements of Google’s business model and it condemns not just the company’s practices, but also impugns its’ ethical compass. And contrary to the company’s interpretation, the letter confirms that swathes of Google’s activities are fundamentally unlawful and that this illegality must stop. The annex (pdf) to the letter makes fascinating reading and clarifies the true position.
In some respects Google is fortunate that this latest action by regulators is a precedent and that the consequent language is passive. At a time of imminent change to the EU data protection framework both Article 29 and the individual regulators have expressed themselves with caution. However the underlying message remains clear and unequivocal: commit to reform or face widespread and effective legal action.
the underlying message remains clear and unequivocal: commit to reform or face widespread and effective legal action
Jacob Kohnstamm, the chairman of Article 29, went as far as to tell the New York Times “We are terribly sorry to the citizens of Europe that this has happened.”
Asked what regulators would do if Google did not accede to change, he said national regulators probably would take legal action to compel reform.
Any data protection specialist reading the Article 29 letter will immediately grasp its significance. Although the language is cast in classic compromise, its meaning is unambiguous.
For example, the text of the letter states:
“Combination of data, like any other processing of personal data, requires an appropriate legal ground and should not be incompatible with the purpose for which these data were collected. For some of the purposes related to the combination of data and which are further elaborated in the appendix, Google does not collect the unambiguous consent of the user, the protection of the individual’s fundamental rights and freedoms overrides Google’s legitimate interests to collect such a large database, and no contract justifies this large combination of data.”
the letter clearly opens the litigation terrain to national regulators
How can a company be confident that its interpretation of EU law trumps the collective view of every privacy regulator in Europe? Perhaps the statement can be brushed away as bravado, but the time for bravado may be over.
The reality is that the letter is an iron fist in a velvet glove. Although camouflaged with words such as “challenge” and “request” the letter clearly opens the litigation terrain to national regulators who will be doing more than “requesting”. Article 29 has created an evidence-based foundation for all regulators to commence legal proceedings.
The Article 29 findings present a challenge to all companies operating online, but they present particular challenges to Google, which appears to be running headlong against the iceberg. How – or if – the company creates technical, business and legal solutions will become one of the more interesting chapters of Internet history. Equally, the response of Europe’s regulators will become a fascinating chapter in the EU’s legal history.