Authorities are concerned that the move violates EU law and would lead to disastrous consequences for privacy.
The new policy mandates Google to treat all data from every service as commercial product that can be exploited at will by any other part of the company. This means that personal information cannot be fire-walled or given specific protection.
A report published by the French privacy watchdog CNIL in October 2012 found the company to be in violation of data protection rules and demanded that reforms be implemented within four months. The company subsequently failed to make any significant changes to its new policy.
In a last-ditch attempt to achieve progress a task force comprising regulators from France, Germany, Italy, the Netherlands, Spain and the United-Kingdom met Google representatives last month but failed to elicit any change or secure any commitment to change.
The new policy mandates Google to treat all data from every service as commercial product that can be exploited at will by any other part of the company.
Exasperated, the regulators took the decision to create an EU-wide coordinated enforcement action in which each regulator will act according to their respective national law. Because of penalty limitations in national law any fines that may result are unlikely to be substantial, however the new action by regulators will create profound consequences for Google.
The policy sits at the core of Google’s business model, permitting the company to devise limitless ways to extract value from information provided by users.
Of even greater consequence to the company will be an inevitable push by parliamentarians for new controls to be embedded in the draft regulation. Among these may be a fast-track process to bring violations to a court of law. If the company refuses to abide by a court ruling its executives could be found to be in Contempt, resulting in criminal prosecution and almost limitless penalties.
National governments and the European Commission – bound by strict ethical rules for contracts – will be unable to enter into enterprise agreements with the company.
The immediate financial impact on Google will go well beyond any possible fines. National governments and the European Commission – bound by strict ethical rules for contracts – will be unable to enter into enterprise agreements with the company. Governments require all service providers to warrant that they respect and comply with data protection law. In the current circumstances governments would be required to exclude Google from consideration for contracts. Products such as Google Apps would be blacklisted.
The coordinated enforcement action by regulators will also bring less predictable consequences. Regulators tend to be timid when acting alone, but are far more daring and progressive when working in partnership with other authorities. There are unexplored areas of EU data protection law that permit regulators to substantially intervene in the operations of a company, imposing enforceable data processing prohibitions. Thus authorities in some countries – even under existing law – could shut down Google services. They just need the motivation to do so – and Google’s latest act of defiance may well provide such motivation.