Written by Susan Foster, Solicitor England & Wales/Admitted in California
(LONDON) The EU has escalated its existing investigation of Google’s global privacy policy, a policy covering all of Google’s services that was introduced by Google last year. Up until April 3, the French data protection authority, CNIL, had effectively been tasked with engaging with Google in an investigation as to whether Google’s global privacy policy complies with European data protection laws. Dissatisfied with Google’s response to date, five other data protection authorities from some of the largest EU countries (the United Kingdom, Germany, Spain, Italy and the Netherlands) are now joining France in a coordinated investigation. (The investigation has of course been covered by multiple news sources. See, for example The Wall Street Journal article here for more information — and some pithy reader comments.)
The immediate consequences for Google in terms of potential financial penalties are negligible for a company of its size. Each of the national authorities can levy fines, but they are capped under current law. For example, the maximum fine in the UK is only £500,000. Things would be quite different under the proposed Data Protection Regulation, where EU-wide fines could be as high as two percent of worldwide turnover. See our earlier articles on the draft Regulation here and here.
But pending the introduction of more meaningful fines, the current investigation of Google is about fundamental points of principle (user consent and the viability of a global policy) that could have a widespread effect on companies that do any business with European customers as well as companies with actual operations in Europe.
Google has put together a global policy that attempts to satisfy requirements around the world. The EU data protection authorities say it isn’t good enough for their residents. Will Google be forced to adopt potentially more restrictive policies on a global basis in order to satisfy the EU and keep its desired approach of a single cross-service global policy? Or will Google end up creating a special policy for Europe? Or will the EU regulators be forced to back down – as might happen, if, for example, Google threatened to curtail EU residents access to certain services if Google’s terms and conditions, including its privacy policies, aren’t accepted in the EU? (Google is not on the record as having made any such threat, but it’s an interesting scenario to consider.)
Another point of principle that seems to be lurking under the surface of the regulators’ public comments is the question of user consent. Google asks its users to agree to its privacy policies. In theory, adequately informed, affirmative user consent should be enough to satisfy the requirements of the current Data Protection Directive. However, the new draft Data Protection Regulation betrays a deep skepticism on the part of the EU regulators with regard to the validity of user consent – broadly speaking the draft Regulation provides that an imbalance of power between the data subject and the data controller invalidates consent as a basis for complying with the law. The regulators’ criticism of Google’s privacy policy focuses in part on whether certain terms are clear enough to users. One might question whether certain terms that seem generally disfavored by EU regulators (like the use of information gathered about a user’s web surfing) can ever be made clear enough to satisfy the EU that their residents have freely given truly informed consent.
At the end of the day, the Google investigation will test the EU’s proposition that it intends to set the gold standard for data protection regulation around the world. It may also test whether the EU regulators can bring themselves to accept that a vast majority of EU residents might be entirely happy to consent to uses of their personal data that offend the regulators – and that EU residents might actually be fully competent to make that decision for themselves.