US wiretap case could be the key to Google transparency compliance in Europe

google logoBy Simon Davies

In one of the most important online privacy developments of recent years, the Italian data protection regulator has issued a ruling that requires Google not only to explicitly inform users of the extent of commercial processing of their data, but to also secure customer consent before that data can be used.

It would be difficult to overstate the significance of this ruling. Until now, countries such as France and Spain have levied fines against the advertising giant over systemic breaches of local law because of Google’s controversial processing operations. The new demand takes this position to an operational level that will fundamentally influence Google’s interaction with users.

The ruling reflects an emerging Europe-wide position amongst regulators that Google’s business model must fundamentally change if the company is to achieve compliance with EU law.

The ruling reflects an emerging Europe-wide position amongst regulators that Google’s business model must fundamentally change if the company is to achieve compliance with EU law. Google has amalgamated all data streams from its sixty services, denying users any opportunity to opt out of commercial processing of their personal information. This data aggregation maximizes Google’s revenue by increasing the value of data generated by each user, but it also runs headlong against Europe’s user-centred data protection rules.

The Italian ruling takes the hardest line so far to uphold the fundamental principle of informed consent and is bolstered by a forthcoming framework for strengthened data protection rules across the EU. If Google fails to comply, the company could be exposed to penalties reaching to the low billions of dollars.

Most commentary on the decision has focused on the consent requirement, but the demand for greater detail and transparency of processing also has critically important consequences.

In this regard – as regulators and users increasingly demand more information about how Google processes customer information – recent developments in the US could provide a crucial key to unlock Google’s secret operations.

Claimants have brought an important case in California relating to the legality under federal and state wiretap laws of Google’s scanning and indexing of all private Gmail content. During the court’s process of discovering the extent and nature of the data mining, Google has successfully taken action to seal all documents that reveal how the information is processed. Google has also sought to have court transcripts censored.

These actions had the effect of creating a secret court. Twenty-six media organisations then intervened in the case to argue that Google’s “black box” should be opened to scrutiny, allowing analysts to determine the extent of intrusion and the likely scale of  possible illegality.

In a telling response, rather than using case law to argue that the higher, “compelling” standard for suppression of documents applies, Google then accused the media companies of relying on “platitudes about the importance of public access.”

The court is yet to decide on the matter of disclosure, but – whatever the outcome – the implications for Europe are significant. If the processing operations are made public the heightened public awareness would meet the requirements both of the new EU data protection framework and the Italian ruling. If they are kept secret there would be a compelling case for European authorities to launch proceedings to achieve disclosure.

Either way, EU regulators should carefully follow the California proceedings to gain a better understanding of how the advertising giant deals with the matter of transparency – and what tactics they are likely to encounter in the future.