Time for Europe to get serious about investigating Google

By Simon Davies

Google‘s recent admission that it failed to fully delete unlawfully harvested WiFi data brings to a head several unresolved issues that are central not only to EU data protection, but also to the core principles of the Union itself.

The company’s continuing compliance failure on the WiFi issue and its poor treatment of EU data protection authorities not only raise important questions about Google’s accountability, product development process and governance, but also the sustainability of the advertising giant’s increasingly open defiance of Europe’s Rule of Law.

Historically, Google has tested the limits of EU data protection,

Historically, Google has tested the limits of EU data protection

pushing back on such issues as search data retention, the Right to be Forgotten and concerns relating to its Gmail service.

A line was crossed however on April 20th when the company wrote to the French privacy authority Commission Nationale de l’informatique et des Libertés (CNIL) openly questioning not only the Commission’s right to investigate the company over the legality of its new privacy policy, but also the legal authority of the Article 29 Working Party of data protection authorities to request that investigation.

The CNIL investigation was prompted by Google’s new privacy policy, which was to come into effect on March 1st 2012. The new policy empowers the company to share data across a wide spectrum of services. Importantly, this new mandate includes data sharing with embedded services in millions of third party websites that use Adsense and Analytics. EU data protection authorities had expressed concern that the new policy may breach several provisions of law. Article 29, acting on behalf of all EU authorities, requested that CNIL investigate the matter.

Google adopted a combative position from the outset. It defied a request by CNIL to delay implementation of the new policy pending the investigation, it failed to fully answer a questionnaire submitted by CNIL and then breached the Commission’s response deadline by two weeks. CNIL reported that Google’s answers were “often incomplete or approximate” and asked the company to be submit more specific details.

In a damning criticism the authority advised: “CNIL considers it impossible to know Google’s processing of personal data, as well as the links between collected data, purposes and recipients, and that the obligation of information of the data subjects is not respected.”

CNIL considers it impossible to know Google’s processing of personal data, as well as the links between collected data, purposes and recipients, and that the obligation of information of the data subjects is not respected.

“The CNIL also notes that Google has not provided a maximum retention period for the data.”

Questioning the authority of both CNIL and Article 29 was generally seen as obfuscation (though some viewed the tactic as impudent and offensive). The authority established under the Data Protection Directive and the Rules of Procedure of Article 29 give the body a wide-ranging mandate as an independent advisor and investigator. Article 1 (4) of the Rules of Procedure states:

“The Working Party may, on its own initiative, make recommendations on all matters relating to the protection of persons with regard to the processing of personal data in the Community. [Art. 30(3)]”

While it’s certainly true that there are no specific guidelines for investigations leading to such recommendations, equally there is no limitation on what Article 29 may decide in the interests of data protection. Article 16 of the Rules provide the required authority: “The Working Party may establish one or more subgroups to prepare its position on certain matters and shall decide on their mandate.”

The direct precedent for the Google referral to CNIL was a referred investigation in 2006 to the Belgian DP authority over complaints about SWIFT (the Society for Worldwide Financial Telecommunication)

Google is not a public service search engine; it is an advertising company. 96% of its $38 billion annual revenue comes from advertising. All its products and ultimately all its policies are centred on this core business model. When Google “sells in” to Europe it must abide by EU laws to the same extent as would a pharmaceutical company. The “public service” perception, coupled with an unnecessarily confused view of the nature of the Internet has helped stall action against the company.

The Treaty of Lisbon stipulates a prime directive for EU authorities to nurture the European economy and to protect the rights and liberties of its people. The Treaty provides for the development of a “highly competitive social market economy” and a fair and just environment. At no point does it provide for special treatment for powerful overseas companies, least of all a company with a revenue that would make it the twentieth-largest EU national economy. Such entities are required to respect the rules that regulate access to European markets and which protect the rights of Europeans.

In this light Google’s failure to respond to the CNIL questionnaire in a timely and comprehensive way raises two possible scenarios: either the company did not choose to provide all the information, or it did not possess the information. Both scenarios should be of profound interest to the EU.

In view of this situation it is incumbent upon Europe not just to fall squarely behind CNIL’s efforts to investigate the company, but to initiate action at a level of rigour beyond anything that has been contemplated so far. No corporation should be allowed to determine the nature and extent of European rights.