- Journal Archives
- Volume 18
- Volume 17
- Volume 16
- Volume 15
- Volume 14
- Volume 13
- Volume 12
- Volume 11
- Volume 10
- Volume 9
- Volume 8
- Volume 7
- Volume 6
- Volume 5
- Volume 4
- Volume 3
- Volume 2
- Volume 1
Usually, Google wins. The company has racked up victory after victory in the United States and elsewhere in both trademark and copyright law. But this time (or, for now) the search and advertising giant may have met its match: European privacy regulators.
The EU is covered by the Data Protection Directive (Directive 95/46/EC), which requires that EU member countries regulate “personal data” and defines the term as “any information relating to an identified or identifiable natural person” (emphasis added). The United States, by contrast, prefers what it calls “sectoral approach” (and what the EU calls “inadequate“–though there is an optional per-company certification available). The much more stringent European standards, coupled with regulators much more willing to intervene in what the United States usually considers terms-of-service issues, mean that U.S. companies collecting or processing data in the EU can have a tough time developing a set of privacy policies and practices that work in both jurisdictions.
In 2012, Google updated its privacy policies to attempt to do just that and in April of this year learned that the new policy might not pass muster with a number of European data privacy regulators. Then, last week, French data authorities (CNIL) sent the company formal notice that its privacy policies were inadequate. CNIL’s laid out a number of issues with Google’s policy, as well as a framework for the company to comply with French requirements within three months. It says that its longstanding complaint has been that Google’s policies keep individuals from understanding or controlling how Google uses their personal data, and that the company has “not implemented any significant compliance measures” at all.
According to CNIL, Google has 90 days to do the following, or face sanctions:
- Tell EU individuals how Google uses their data
- Keep personal data no longer than necessary to achieve the disclosed purpose and publish data retention periods
- Avoid combining users’ personal data in prohibited ways
- Obtain informed consent before setting any browser cookies
And what, if anything, will happen if the proposed Data Protection Regulation (which would apply directly to all companies doing business in the EU, not to member states) go into effect? Privacy seems to be taken much more seriously in the EU than the United States, so Google (and other U.S. Internet firms) may not want to find out.
Recent Blog Posts
Tagsadvertising antitrust Apple books career celebrities contracts copyright copyright infringement courts creative content criminal law entertainment Facebook FCC film/television financial First Amendment games Google government intellectual property internet JETLaw journalism lawsuits legislation media medicine Monday Morning JETLawg music NFL patents privacy progress publicity rights radio social networking sports Supreme Court of the United States (SCOTUS) technology telecommunications trademarks Twitter U.S. Constitution