«

»

Five questions European regulators need to ask Google – and Al Capone

246 - Al Capone Front

Readers may recall the story of legendary US gunslinger Billy the Kid. If so, you probably have a fond view of this extraordinary figure. He comes across in many historical accounts as a good natured Robin Hood character who won widespread love and respect in urban legend

Some privacy and market regulators have until now been treating Google as if it was a modern day Billy the Kid.

Billy the Kid achieved such acclaim in his day that he even succeeded in winning cover from lawmakers and sheriffs. Somehow this likeable young man attracted enough of a fan base among the law enforcement community that he managed to escape justice on numerous occasions, falling dead only after a huge bounty had been placed on his head.

It seems to me that some privacy and market regulators have until now been treating Google as if it was a modern day Billy the Kid. Time and time again they have acted as if the organisation was little more than a roguish miscreant that endearingly defies law and order while serving some sort of formless public good. Some have given a green light to operations such as Street View that were later shown to be – at best – legally dubious, while others have completely ignored blatant competition issues.

There is a dangerous element to treating corporations this way. Given enough time and immunity, people like Billy the Kid grow up to become a more sinister and uncontrollable force. Al Capone springs to mind.

There is a dangerous element to treating corporations this way. Given enough time and immunity, people like Billy the Kid grow up to become a more sinister and uncontrollable force. Al Capone springs to mind.

You’ll remember that Capone’s operation grew in the space of a few years from a cute backstreet gang to a giant crime empire that controlled much of Chicago’s prohibition-era racketeering, gambling and booze smuggling. His public persona however was – yet again – that of a modern day Robin Hood, supporting worthy causes and funding soup kitchens.

Capone’s sharp legal advice, astute lobbying and wholesome public image put him out of the reach of law enforcement. It was only when Elliott Ness and the “Untouchables” got on his case that he was finally dragged down on tax evasion charges.

No-one is accusing Google of bootlegging or gunslinging (not yet anyway), but in the realm of privacy and data protection the time has surely arrived for the appearance of an Elliott Ness who is prepared to ask some tough and very specific questions. There is a Saint Valentine’s Day Massacre of personal data taking place, and European authorities need to stop being cowed by Google’s public image.

I know the era of Cloud, Apps and Big Data can be confusing to many officials who see their function as legal regulation rather than technology analysis, but the two domains are converging fast and there is no longer any excuse for ignoring questions of technology application. Those EU regulators who have only just learned how to set the clock on their mobile phone had better start bringing in some serious IT advice.

There is a Saint Valentine’s Day Massacre of personal data taking place, and European authorities need to stop being cowed by Google’s public image.

An opportunity for a highly focused investigation will present itself in the next few weeks as Google appears before the Article 29 group of EU regulators to answer questions about its conduct. The company appears to have entered a phase of open defiance of Europe’s data protection law, questioning the French regulator’s (CNIL) competence, refusing to answer questions about its new privacy policy and calling into question the basis of Europe’s privacy rights.

I have a hundred questions, but here are five that I believe Article 29 and CNIL should be asking as a matter of urgency:

1.  In February, reports surfaced that Google has been transferring to app developers the personal information of every Android device user who purchases an app from the “Google Play” app store.

a)  Please explain how Google notified users that this data transfer would occur.  If your explanation relies on the terms of the Google Wallet privacy policy, including its disclosure that Google may share a user’s personal information with third parties “as necessary to process [a user’s] transaction or maintain [a user’s] account,” please explain how this data transfer was covered by the terms of that policy.  For instance, is such a data transfer always “necessary?”  Why?

b)  For data that was transferred to points outside of the EU, please explain how the transfer complied with EU data transfer laws.

2.  Among the reported features of Glass is the ability of wearers to use their devices to record, store and share all that they see, hear and do.  Please describe how the data collected through Glass will be managed (whether by the wearer, by Google, or by another party) and whether and to what extent that data can or will be combined with other data in Google’s possession or control.  How does Google intend to notify and secure the consent of non-wearers whose images, words and conduct may be recorded, stored, and shared by Glass?

“Please explain why Google repeatedly has failed to provide complete responses to all CNIL’s inquiries regarding the changes the company made to its privacy practices.”

3.  One recent industry observer compared Glass to “human versions of [Google’s] Street View vans” that will penetrate deep into user private lives and provide Google with information as personal as what is in user homes.  Please describe the full range of data that Glass will collect and what measures Google plans to implement to protect user privacy.

4.  Last month, Mozilla announced that it intends to block third party cookies on its Firefox web browser.  This is the same approach taken by Apple on its Safari web browser, and both companies have taken these steps out of concern for user privacy.  Earlier this year, Google paid a record $22.5 M fine in the U.S. for failing to comply with Safari’s third party cookie privacy controls.  What steps is Google taking to ensure that it does not make this same error with Firefox?  Would Google consider blocking third party cookies on its own Chrome web browser?  If not, why not?

5.  Please explain why Google repeatedly has failed to provide complete responses to all CNIL’s inquiries regarding the changes the company made to its privacy practices.  Does Google dispute its authority to ask these questions, or is it concerned that complete and accurate responses would disclose a violation of European privacy laws?