«

»

New joint enforcement action against Google may trigger an EU-wide government blacklisting of the company

google

The stand-off between Google and Europe’s data protection authorities took a dramatic turn today as six EU countries launched coordinated enforcement actions against the company.

Authorities are concerned that the move violates EU law and would lead to disastrous consequences for privacy.

The unprecedented action follows an investigation by the Article 29 group of EU authorities into Google’s amalgamated privacy policy that aggregates data across all the company’s products and services. Authorities are concerned that the move violates EU law and would lead to disastrous consequences for privacy.

The new policy mandates Google to treat all data from every service as commercial product that can be exploited at will by any other part of the company. This means that personal information cannot be fire-walled or given specific protection.

A report published by the French privacy watchdog CNIL in October 2012 found the company to be in violation of data protection rules and demanded that reforms be implemented within four months. The company subsequently failed to make any significant changes to its new policy.

In a last-ditch attempt to achieve progress a task force comprising regulators from France, Germany, Italy, the Netherlands, Spain and the United-Kingdom met Google representatives last month but failed to elicit any change or secure any commitment to change.

The new policy mandates Google to treat all data from every service as commercial product that can be exploited at will by any other part of the company.

The company’s intransigence is a direct consequence of the new privacy policy being a crucial mechanism to monetise personal information. The policy sits at the core of Google’s business model, permitting the company to devise limitless ways to extract value from information provided by users. Its failure to reform the policy is testimony to the company’s need to clear all barriers to the flow of valuable data. This has resulted in a “crash or crash through” philosophy in which the company hopes to demolish EU data protection law.

Exasperated, the regulators took the decision to create an EU-wide coordinated enforcement action in which each regulator will act according to their respective national law. Because of penalty limitations in national law any fines that may result are unlikely to be substantial, however the new action by regulators will create profound consequences for Google.

The policy sits at the core of Google’s business model, permitting the company to devise limitless ways to extract value from information provided by users.

Most significant of all, this decision by a US-based company to defy EU law will not play well with members of the European Parliament who are currently considering a new data protection framework for the EU. Google and other US companies have launched a successful hurricane-scale lobbying effort to water down the proposed data protection regulations. Google’s refusal to obey the lawful instructions of EU authorities is likely to reverse the fortunes of the draft data protection regulation. A much more robust and prescriptive law is likely to be created – including antitrust-level penalties against repeat offenders such as Google.

Of even greater consequence to the company will be an inevitable push by parliamentarians for new controls to be embedded in the draft regulation. Among these may be a fast-track process to bring violations to a court of law. If the company refuses to abide by a court ruling its executives could be found to be in Contempt, resulting in criminal prosecution and almost limitless penalties.

National governments and the European Commission – bound by strict ethical rules for contracts – will be unable to enter into enterprise agreements with the company.

The immediate financial impact on Google will go well beyond any possible fines. National governments and the European Commission – bound by strict ethical rules for contracts – will be unable to enter into enterprise agreements with the company. Governments require all service providers to warrant that they respect and comply with data protection law. In the current circumstances governments would be required to exclude Google from consideration for contracts. Products such as Google Apps would be blacklisted.

The coordinated enforcement action by regulators will also bring less predictable consequences. Regulators tend to be timid when acting alone, but are far more daring and progressive when working in partnership with other authorities. There are unexplored areas of EU data protection law that permit regulators to substantially intervene in the operations of a company, imposing enforceable data processing prohibitions. Thus authorities in some countries – even under existing law – could shut down Google services. They just need the motivation to do so – and Google’s latest act of defiance may well provide such motivation.