Avoiding the EU's "get Google" game

The European Union's data regulators need to be balanced when debunking Google's privacy policy and its activities in the region. The stakes are too high for their probing to turn into a witch hunt.

In 2012 the EU warned Google that the consolidation of its privacy policies across as many as 60 of its services might infringe EU laws and gave the Internet player until March this year to resolve the issue. Google must focus strongly on upcoming privacy proposals in order to play its strongest hand, while the European data protection agencies (DPAs) taking up the investigation will need to ensure they focus on balancing citizens’ privacy with the free flow of the European Internet economy. The stakes are high, and a near-perfect sense of balance will be essential.

The current rules may be superseded by the time the investigations are completed, and the new ones are likely to be more restrictive

The action taken this week by DPAs in France, Germany, Italy, the Netherlands, Spain, and the UK against Google is no surprise, since it comes just four months after regulators’ attempts to get the company to address issues with its privacy policies. Their investigations may lead DPAs to rule that Google is not compliant with the EU framework on data protection. However the current set of rules may be superseded by the time these investigations are completed, especially given the EC’s intention to have a new regulation on data protection passed by the end of 2013. This means that Google must take steps to address the DPAs’ current concerns even while trying to influence the new rules before they are passed, and assessing their potential impact. While the proposals may not be passed with their original text, they are likely to be more restrictive than the current directive in some respects, such as users’ “right to object.” In particular, Article 20 of the proposal adds additional safeguards to “not to be subject to a measure based on profiling.” This could be significantly disruptive for Google’s targeted advertising business; the company should therefore focus its efforts on understanding what the new rules will ultimately look like, and thinking of ways to address them.

Google’s case is a good experiment in coordinated DPA action, but it may still lead to different outcomes across countries

The DPAs’ action against Google shows that they are developing an aptitude for acting together, which is what will happen on a regular basis if the proposals related to the way DPAs operate are passed. The EC is looking to introduce a “consistency mechanism” that ensures DPAs follow standard procedures when adopting measures. DPAs will have to liaise with a European Data Protection Board and with the EC, submitting their draft measures to both bodies. The DPAs will then be expected to take the utmost account of the EC’s opinion.

However, for the time being the DPAs will still have a high degree of independence. They have to refer to their respective national legislation implementing the EC’s directives, which can lead to different outcomes across countries. Recent examples have shown that inconsistencies can easily occur. For example, Google is considered to be a publisher in Spain and is required to remove search results from its engine despite not being the content holder, while not enjoying the same safeguards as a media company. If DPAs do not agree on a common approach, we may see more confusion arising from this joint initiative, to the detriment of both businesses and end users.

European investigation must not turn into a game of “Get Google!”

The stakes are too high to mistakenly make an example of Google for its mismanagement of users’ privacy. If the conclusions of the current European investigation set precedents that must be applied to the European Internet economy at large, regulators must make very sure that they do not create unnecessary friction for business. That said, the law needs to be applied to improve the transparency of the personal data environment and European citizens’ understanding and control of their own data. The world will be watching closely to see how this is done. Will Google be categorised as a media company, a data controller, or a data host? And will companies be allowed to use their algorithms as an argument to place themselves outside the law? This is a big play for European regulators, and “getting” Google is not the game; getting the balance right for Europe is.

Luca Schiavoni is an Analyst in Ovum’s regulatory advisory service.