Usually, Google wins. The company has racked up victory after victory in the United States and elsewhere in both trademark and copyright law. But this time (or, for now) the search and advertising giant may have met its match: European privacy regulators.

The EU is covered by the Data Protection Directive (Directive 95/46/EC), which requires that EU member countries regulate “personal data” and defines the term as “any information relating to an identified or identifiable natural person” (emphasis added). The United States, by contrast, prefers what it calls “sectoral approach” (and what the EU calls “inadequate“–though there is an optional per-company certification available). The much more stringent European standards, coupled with regulators much more willing to intervene in what the United States usually considers terms-of-service issues, mean that U.S. companies collecting or processing data in the EU can have a tough time developing a set of privacy policies and practices that work in both jurisdictions.

In 2012, Google updated its privacy policies to attempt to do just that and in April of this year learned that the new policy might not pass muster with a number of European data privacy regulators. Then, last week, French data authorities (CNIL) sent the company formal notice that its privacy policies were inadequate. CNIL’s laid out a number of issues with Google’s policy, as well as a framework for the company to comply with French requirements within three months. It says that its longstanding complaint has been that Google’s policies keep individuals from understanding or controlling how Google uses their personal data, and that the company has “not implemented any significant compliance measures” at all.

According to CNIL, Google has 90 days to do the following, or face sanctions:

  • Tell EU individuals how Google uses their data
  • Keep personal data no longer than necessary to achieve the disclosed purpose and publish data retention periods
  • Avoid combining users’ personal data in prohibited ways
  • Obtain informed consent before setting any browser cookies

What should the search giant do? Keep in mind, it doesn’t have to do any of these things in the United States. So should it change its privacy policy and practice on the fly–yet again–for its millions of users in the EU? For all users worldwide? Or try to brazen it out in the French courts? Or should it scramble to bring allies into the mix? Google also just won a case against the Spanish data privacy regulator over the right to be forgotten. So is CNIL’s demand a rare loss for the tech giant, or just a setback on the road to another victory?

And what, if anything, will happen if the proposed Data Protection Regulation (which would apply directly to all companies doing business in the EU, not to member states) go into effect? Privacy seems to be taken much more seriously in the EU than the United States, so Google (and other U.S. Internet firms) may not want to find out.

–Brad Edmondson

Image Source

Tagged with:

Comments are closed.