«

»

Europe to Google: respect our laws or face the consequences

By Simon Davies

Europe’s privacy and data protection regulators have launched a substantial attack on Google, mauling the advertising giant’s business practices. The letter, signed by almost all EU regulators, accuses Google of illegality and calls into question the viability of the company’s current operations within the European legal environment.

Historically, Google has tested the limits of EU data protection

The letter follows an investigation by the French regulator CNIL (Commission nationale de l’informatique et des libertés) into Google’s new privacy policy that came into effect on March 1st 2012. The new policy empowers the company to share data across a wide spectrum of services. Importantly, this new mandate includes data sharing with embedded services in millions of third party websites that use Adsense and Analytics.

EU data protection authorities had expressed concern that the new policy may breach several provisions of law. Article 29, acting on behalf of all EU regulators, then requested that CNIL investigate the matter.

This is a quite brutal communique that goes to the heart of Google’s operations and policies. It challenges some key elements of Google’s business model and it condemns not just the company’s practices, but also impugns its’ ethical compass.

Historically, Google has tested the limits of EU data protection, pushing back on such issues as search data retention, the Right to be Forgotten and concerns relating to its Gmail service. This approach is standard practice for some corporations, but the consequence in this case is that regulators felt that they were being ignored, with many believing that  the company’s actions increasingly amounted to open defiance of Europe’s Rule of Law.

Google’s spin is that the letter is nowhere near as harsh as the company had expected – indeed it is little more than a set of recommendations and a couple of criticisms. Observers must understand, says the company, that the letter should be viewed in the context of a much more warm and cooperative relationship between Google, CNIL and Article 29 than existed at the beginning of the year when open criticism from CNIL was particularly harsh. Google asserts that nowhere in the letter was there even a suggestion that the company is acting unlawfully. Go on home folks; nothing to see here.

The reality is somewhat more dramatic. This is a quite brutal communique that goes to the heart of Google’s operations and policies. It challenges some key elements of Google’s business model and it condemns not just the company’s practices, but also impugns its’ ethical compass. And contrary to the company’s interpretation, the letter confirms that swathes of Google’s activities are fundamentally unlawful and that this illegality must stop. The annex (pdf) to the letter makes fascinating reading and clarifies the true position.

In some respects Google is fortunate that this latest action by regulators is a precedent and that the consequent language is passive. At a time of imminent change to the EU data protection framework both Article 29 and the individual regulators have expressed themselves with caution. However the underlying message remains clear and unequivocal: commit to reform or face widespread and effective legal action.

the underlying message remains clear and unequivocal: commit to reform or face widespread and effective legal action

Jacob Kohnstamm, the chairman of Article 29, went as far as to tell the New York Times “We are terribly sorry to the citizens of Europe that this has happened.”

Asked what regulators would do if Google did not accede to change, he said national regulators probably would take legal action to compel reform.

Any data protection specialist reading the Article 29 letter will immediately grasp its significance. Although the language is cast in classic compromise, its meaning is unambiguous.

For example, the text of the letter states:

“In particular, Google’s answers have not demonstrated that your company endorses the key data protection principles of purpose limitation, data quality, data minimization, proportionality and right to object. Indeed, the Privacy policy suggests the absence of any limit concerning the scope of the collection and the potential uses of the personal data.”

This clearly translates to: “We’re finding it hard to discover any reflection of key data protection principles in your policy and you are therefore acting unlawfully”.  And in saying that Google’s responses have “not demonstrated that your company endorses the key data protection principles” Article 29 attacks the company itself, rather than merely the privacy policy.

in saying that Google’s responses have “not demonstrated that your company endorses the key data protection principles” Article 29 attacks the company itself, rather than merely the privacy policy.

However it is the following statement which most clearly expresses the parlous position that Google now confronts:

“Combination of data, like any other processing of personal data, requires an appropriate legal ground and should not be incompatible with the purpose for which these data were collected. For some of the purposes related to the combination of data and which are further elaborated in the appendix, Google does not collect the unambiguous consent of the user, the protection of the individual’s fundamental rights and freedoms overrides Google’s legitimate interests to collect such a large database, and no contract justifies this large combination of data.”

Here the regulators are not simply requiring a change to the privacy policy, but a change to the Google business model. This will be the finding that the company has feared most of all, because it blatantly asserts that its’ business practices are in conflict with EU law.

Google’s immediate response may already have angered some regulators. Peter Fleischer, global privacy counsel at Google, said in a statement: “Our new privacy policy demonstrates our long-standing commitment to protecting our users’ information and creating great products. We are confident that our privacy notices respect European law.”

the letter clearly opens the litigation terrain to national regulators

How can a company be confident that its interpretation of EU law trumps the collective view of every privacy regulator in Europe? Perhaps the statement can be brushed away as bravado, but the time for bravado may be over.

The reality is that the letter is an iron fist in a velvet glove. Although camouflaged with words such as “challenge” and “request” the letter clearly opens the litigation terrain to national regulators who will be doing more than “requesting”. Article 29 has created an evidence-based foundation for all regulators to commence legal proceedings.

The Article 29 findings present a challenge to all companies operating online, but they present particular challenges to Google, which appears to be running headlong against the iceberg. How – or if -  the company creates technical, business and legal solutions will become one of the more interesting chapters of Internet history. Equally, the response of Europe’s regulators will become a fascinating chapter in the EU’s legal history.