Sunday

17th Nov 2019

Opinion

Google's collision course with member states

  • At least five European countries have begun their own investigations into Google’s global privacy policy (Photo: nitot)

European Union regulators have taken their first step to making good on their recent threat to take “repressive action” against Google by summer.

Following last month’s final meeting between Google and European regulators at which “no change” in Google’s attitude was seen, at least five European countries have begun their own investigations into Google’s global privacy policy, promising coordinated enforcement action by summer.

Read and decide

Join EUobserver today

Support quality EU news

Get instant access to all articles — and 20 year's of archives. 30-day free trial.

... or join as a group

There is nothing to stop other EU member states from taking their own actions as well, if, as now seems inevitable, Google does not significantly modify its 2012–issued global privacy policy to conform to fundamental European privacy principles.

But what, exactly, is likely to happen?

Though crystal balls are of little use in predicting what the 27 EU member states may do, a recap of Google’s latest dispute with the EU, and a review of EU data protection enforcement authorities, may provide some clues.

In a significant revision of its global privacy policy, Google early last year asserted the right to expand its data mining activities to combine personal data of its users across all of an individual’s accounts and services, including: gmail; Internet searching; map and location information; and photo sharing, with no ability for individuals to opt out.

Google, which reportedly has 80 percent of the EU search engine market, 30 percent of the EU smartphone market, and 40 percent of the global online video market, is not alone in seeking to expand its mining of users’ personal data. Facebook, for example, launched two controversial programmes last year to aggregate Facebook user data with other private data held by advertisers and collected via loyalty cards and programmes. And, in December, the EU launched a formal inquiry into changes to Microsoft’s privacy policy.

The EU’s main privacy regulatory body, the “Article 29” Working Group, voiced concern about the increased threat to EU citizens posed by Google’s sweeping 2012 privacy policy change almost immediately after it was announced.

Even before the policy went into effect, the Working Group, comprised of EU member country Data Protection Authorities (“DPAs”), publicly urged Google to delay putting the policy into effect until the Working Group could carefully review it. Google refused to delay implementation of the policy and, at the request of the Working Group, the French national DPA, the CNIL, took the lead in investigating Google’s new policy.

In late February 2012, the CNIL made a preliminary finding that Google’s policy violated the key EU privacy law, the Data Protection Directive ((Directive 95/46/EC, the “DPD”). The CNIL then sent Google several letters of inquiry and asked them not to implement the policy. Google responded to the CNIL’s questions but implemented the new policy over the CNIL’s objections and, at least in the CNIL’s opinion, failed to fully and sufficiently provide the requested information.

After the CNIL’s investigation, the Working Group found that Google’s policy violates a number of provisions of the EU Data Protection Directive and ePrivacy Directive, including requirements that: collection of personal data only be for limited purposes; users be fully informed about the intended uses of their data; and users be given the right to opt out. The regulators asked Google to make significant changes to its policy and threatened regulatory action if Google failed to make such changes in four months.

Repressive action

To date, Google has failed to make any significant changes, leading to the threat of “repressive action.” What might such action look like?

Although the EU strives for integration, the power to impose sanctions for privacy violations is, under current law, left to the member states. Under the DPD, EU member states are required to endow their individual DPAs with the power to investigate violations and impose sanctions and/or initiate legal proceedings. The Working Party itself can advise the EU Commission and issue opinions. Though these are not legally binding, they carry a great deal of weight with the individual Member State DPAs.

In its announcement (18 February), the EU data protection authorities said they would “coordinate their coercive actions... [which] should be implemented before the summer.” Then, after a two-day Working Group meeting, the regulators announced that Google would be called to appear before regulators as they prepare for coordinated enforcement actions.

If, in the wake of the most recent meetings and investigations announcement, Google maintains its unwillingness to modify fundamental provisions of its privacy policy in response to the Working Group’s concerns, it seems likely that at least some member states, including some or all of the five identified as opening their own investigations, will take enforcement action against the company.

The regulators have issued so many warnings to Google, and the issues raised are so integral to how Europeans view their fundamental human rights, that it is difficult to see how the EU regulators can back down. They likely will calculate – reasonably – that failure to act now will encourage similar actions by numerous other companies and strike a blow to meaningful deterrence of future privacy violations.

Enforcement and sanctions authorities and activities in EU member states vary widely, from Belgium, where the DPA has limited authority to impose fines, to Spain, which issues substantial fines, to Germany and France, which have substantial authority but use it in widely divergent ways depending in particular cases.

The types and severity of sanctions available to DPAs, depending upon individual national laws, can include, in increasing severity: relatively informal guidance; recommendations; investigations; formal warnings; administrative sanctions (monetary fines); public admonishment; blocking of data processing or transfers; and, finally, criminal sanctions.

It seems likely, then, that, without accommodation by Google, the Article 29 Working Group will coordinate enforcement actions by at least some member states by summer. It is at least possible that some member states will attempt to make an example of Google, and deter other companies, by imposing unusually high fines, and possibly impose injunctive remedies, such as legally prohibiting processing of data found to violate EU privacy law. Given the EU member states’ history, however, it seems highly unlikely that any Google officials will be subjected to criminal process.

The writer is an independent information security and privacy lawyer and a Senior Adviser to the Chertoff Group, where he advises clients on information security, data privacy and data protection programmes. He served previously in senior intelligence and law enforcement positions in the US government in both the Clinton and Bush Administrations.

Disclaimer

The views expressed in this opinion piece are the author's, not those of EUobserver.

Facebook warns against 'detailed' EU data law

The world’s largest social media company, Facebook, says the EU draft data protection regulation should remain broad enough to create incentives for business to comply.

Confusion over EU data bill costs

Those who support the EU's proposed data protection bill and those who oppose it are putting forward vastly different figures on the cost of the new law.

News in Brief

  1. Catalan politicians extradition hearing postponed
  2. Germany: EU banking union deal possible in December
  3. EIB: no more funding of fossil-fuel projects
  4. UK defence chief: Russia could trigger World War III
  5. Hungary's Varhelyi will face more questions
  6. Police put former Berlusconi MEP Comi under house arrest
  7. MEPs criticise Poland for criminalising sex education
  8. UK will not name new commissioner before election

'A game of roulette' - life as a journalist now in Turkey

Turkey has more journalists behind bars than any other country in the world. The authorities seem to equate journalism with terrorism: everyone has the right to express themselves, but, in their eyes, legitimate journalism is a threat to security.

Stakeholders' Highlights

  1. Nordic Council of MinistersEarmarked paternity leave – an effective way to change norms
  2. Nordic Council of MinistersNordic Climate Action Weeks in December
  3. UNESDAUNESDA welcomes Nicholas Hodac as new Director General
  4. Nordic Council of MinistersBrussels welcomes Nordic culture
  5. UNESDAUNESDA appoints Nicholas Hodac as Director General
  6. UNESDASoft drinks industry co-signs Circular Plastics Alliance Declaration
  7. FEANIEngineers Europe Advisory Group: Building the engineers of the future
  8. Nordic Council of MinistersNew programme studies infectious diseases and antibiotic resistance
  9. UNESDAUNESDA reduces added sugars 11.9% between 2015-2017
  10. International Partnership for Human RightsEU-Uzbekistan Human Rights Dialogue: EU to raise key fundamental rights issues
  11. Nordic Council of MinistersNo evidence that social media are harmful to young people
  12. Nordic Council of MinistersCanada to host the joint Nordic cultural initiative 2021

Latest News

  1. France unveils new model EU enlargement
  2. Key moments for new commission This WEEK
  3. EU threatens legal action against UK over commissioner
  4. Corruption in the Balkans: the elephant in the room
  5. Green MEPs unconvinced by Romanian commissioner
  6. EU states fell short on sharing refugees, say auditors
  7. Hungary's commissioner-to-be grilled over loyalty to Orban
  8. Widow's plea as EU diplomats debate Magnitsky Act

Stakeholders' Highlights

  1. Vote for the EU Sutainable Energy AwardsCast your vote for your favourite EUSEW Award finalist. You choose the winner of 2019 Citizen’s Award.
  2. Nordic Council of MinistersEducation gets refugees into work
  3. Counter BalanceSign the petition to help reform the EU’s Bank
  4. UNICEFChild rights organisations encourage candidates for EU elections to become Child Rights Champions
  5. UNESDAUNESDA Outlines 2019-2024 Aspirations: Sustainability, Responsibility, Competitiveness
  6. Counter BalanceRecord citizens’ input to EU bank’s consultation calls on EIB to abandon fossil fuels
  7. International Partnership for Human RightsAnnual EU-Turkmenistan Human Rights Dialogue takes place in Ashgabat
  8. Nordic Council of MinistersNew campaign: spot, capture and share Traces of North
  9. Nordic Council of MinistersLeading Nordic candidates go head-to-head in EU election debate
  10. Nordic Council of MinistersNew Secretary General: Nordic co-operation must benefit everybody
  11. Platform for Peace and JusticeMEP Kati Piri: “Our red line on Turkey has been crossed”
  12. UNICEF2018 deadliest year yet for children in Syria as war enters 9th year

Stakeholders' Highlights

  1. Nordic Council of MinistersNordic commitment to driving global gender equality
  2. International Partnership for Human RightsMeet your defender: Rasul Jafarov leading human rights defender from Azerbaijan
  3. UNICEFUNICEF Hosts MEPs in Jordan Ahead of Brussels Conference on the Future of Syria
  4. Nordic Council of MinistersNordic talks on parental leave at the UN
  5. International Partnership for Human RightsTrial of Chechen prisoner of conscience and human rights activist Oyub Titiev continues.
  6. Nordic Council of MinistersNordic food policy inspires India to be a sustainable superpower
  7. Nordic Council of MinistersMilestone for Nordic-Baltic e-ID
  8. Counter BalanceEU bank urged to free itself from fossil fuels and take climate leadership
  9. Intercultural Dialogue PlatformRoundtable: Muslim Heresy and the Politics of Human Rights, Dr. Matthew J. Nelson
  10. Platform for Peace and JusticeTurkey suffering from the lack of the rule of law
  11. UNESDASoft Drinks Europe welcomes Tim Brett as its new president
  12. Nordic Council of MinistersNordic ministers take the lead in combatting climate change

Join EUobserver

Support quality EU news

Join us