Google Settles Landmark Data Privacy Case

It might be time to dust off the European Union and U.S. safe harbor rules on data protection. While the rules have been around for more than a decade, they are just now coming into play, with the first case that alleges violations of the standards for gathering information online.

Last month the Federal Trade Commission forced a settlement with Google over allegations that the search giant violated European Union privacy principles by misusing customer information.

It is the first time the FTC applied privacy violations of the U.S.-EU Safe Harbor Framework, developed in 2000 by the U.S. Department of Commerce and the European Commission. The framework establishes a set of guidelines that allow U.S.-based companies to legally transfer personal data from Europe into the United States by abiding by a set of agreed-upon principles.

Companies that violate the Safe Harbor framework principles face enforcement action by the FTC. One of those principles is giving adequate notice and consent to consumers about how their data is going to be used.

According to the settlement charges, Google falsely asserted that it adhered to the Safe Harbor principles, but failed to get consumers' opt-in consent before using their information for a purpose different from that for which it was collected. Specifically, the FTC said Google violated its own privacy policy when it secretly took users' personal information provided for Google's Web-based e-mail service, Gmail, and integrated that data into its social networking service, Buzz.

“When companies make privacy pledges, they need to honor them,” FTC Chairman Jon Leibowitz said in a statement, announcing the settlement.

Google representatives were contrite in recognizing the violation of privacy rules. “We don't always get everything right,” said Alma Whitten, director of privacy, product, and engineering in corporate blog post. “The launch of Google Buzz fell short of our usual standards for transparency and user control, letting our users and Google down.”

Regardless of Google's apology, the settlement is a wake-up call to any company that collects customer information and transmits the data across national boundaries. “This is the most far-reaching, broadest FTC action on privacy to date,” says Sharon Goott Nissim, consumer privacy counsel with the Electronic Privacy Information Center (EPIC), a privacy watchdog group that filed the complaint against Google.

In yet another first, the FTC issued a consent decree to Google requiring remedial measures and the establishment of a “comprehensive privacy program.” The FTC did not impose any fines or penalties on the company. “It's a watershed event in the evolution of the FTC's privacy enforcement policy development,” says Reed Freeman, a partner with law firm Morrison and Foerster.

Specifically, the settlement requires Google to establish and maintain a comprehensive privacy program to “address privacy risks related to the development and management of new and existing products and services for consumers” and “protect the privacy and confidentiality of covered information.” Additionally, Google must undergo third-party independent audits every two years for the next 20 years to assess its privacy and data protection practices.

The requirement that Google establish a comprehensive privacy program likely foreshadows potential future settlement terms. Reed refers to it as “rulemaking by enforcement action.” While a consent decree is not a rule that carries the force of law, the FTC often “intentionally tries to leverage one case to send a signal to all of industry,” he says.

“For Internet users, we think the FTC decision should lead to higher privacy standards and better protection for personal data.”

—Sharon Goott Nissim,

Consumer Privacy Counsel,

Electronic Privacy Information Center

“We certainly hope the FTC will take a similar approach to other companies that engage in unfair and deceptive practices,” says Nissim.

In this regard, the settlement reaffirms the importance of compliance with the framework for companies that are safe-harbor certified. “On the one hand, [certification] buys you the right to get data from the European Union. On the other hand, any time you make any misstatement, or a statement that could be deemed as false, you run the risk of being sued for violating the safe harbor and potentially losing your safe harbor certification,” says Reed.

The lesson of the Google case is that any information collected on a consumer must always be used in the way it was intended, unless—or until—the consumers says otherwise. “For Internet users, we think the FTC decision should lead to higher privacy standards and better protection for personal data,” says Nissim.

The settlement agreement also prohibits Google from misrepresenting the privacy of users' information. It must also obtain user consent before sharing their information with third parties following product or service updates.

In a concurring statement FTC Commissioner J. Thomas Rosch said he had “substantial reservations” over some portions of the settlement that seem contrary to the public interest. “Because Internet business models and technology change so rapidly, Google (and its competitors) are bound to engage in ‘new or additional' sharing of previously collected information with third parties.” This makes the need for users to opt in each and every time counterproductive.

FTC CHARGES

Below is an excerpt from the Federal Trade Commission's press release on its charge against Google:

According to the FTC complaint, Google launched its Buzz social network through its Gmail web-based email product. Although Google led Gmail users to believe that they could choose whether or not they wanted to join the network, the options for declining or leaving the social network were ineffective. For users who joined the Buzz network, the controls for limiting the sharing of their personal information were confusing and difficult to find, the agency alleged.

On the day Buzz was launched, Gmail users got a message announcing the new service and were given two options: “Sweet! Check out Buzz,” and “Nah, go to my inbox.” However, the FTC complaint alleged that some Gmail users who clicked on “Nah...” were nonetheless enrolled in certain features of the Google Buzz social network. For those Gmail users who clicked on “Sweet!,” the FTC alleges that they were not adequately informed that the identity of individuals they emailed most frequently would be made public by default. Google also offered a “Turn Off Buzz” option that did not fully remove the user from the social network.

In response to the Buzz launch, Google received thousands of complaints from consumers who were concerned about public disclosure of their email contacts which included, in some cases, ex-spouses, patients, students, employers, or competitors. According to the FTC complaint, Google made certain changes to the Buzz product in response to those complaints.

??When Google launched Buzz, its privacy policy stated that “When you sign up for a particular service that requires registration, we ask you to provide personal information. If we use this information in a manner different than the purpose for which it was collected, then we will ask for your consent prior to such use.” The FTC complaint charges that Google violated its privacy policies by using information provided for Gmail for another purpose - social networking - without obtaining consumers' permission in advance.

The agency also alleges that by offering options like “Nah, go to my inbox,” and “Turn Off Buzz,” Google misrepresented that consumers who clicked on these options would not be enrolled in Buzz. In fact, they were enrolled in certain features of Buzz.

The complaint further alleges that a screen that asked consumers enrolling in Buzz, “How do you want to appear to others?” indicated that consumers could exercise control over what personal information would be made public. The FTC charged that Google failed to disclose adequately that consumers' frequent email contacts would become public by default.

Finally, the agency alleges that Google misrepresented that it was treating personal information from the European Union in accordance with the U.S.-EU Safe Harbor privacy framework. The framework is a voluntary program administered by the U.S. Department of Commerce in consultation with the European Commission. To participate, a company must self-certify annually to the Department of Commerce that it complies with a defined set of privacy principles. The complaint alleges that Google's assertion that it adhered to the Safe Harbor principles was false because the company failed to give consumers notice and choice before using their information for a purpose different from that for which it was collected.

The proposed settlement bars Google from misrepresenting the privacy or confidentiality of individuals' information or misrepresenting compliance with the U.S.-E.U Safe Harbor or other privacy, security, or compliance programs. The settlement requires the company to obtain users' consent before sharing their information with third parties if Google changes its products or services in a way that results in information sharing that is contrary to any privacy promises made when the user's information was collected. The settlement further requires Google to establish and maintain a comprehensive privacy program, and it requires that for the next 20 years, the company have audits conducted by independent third parties every two years to assess its privacy and data protection practices.

Google's data practices in connection with its launch of Google Buzz were the subject of a complaint filed with the FTC by the Electronic Privacy Information Center shortly after the service was launched.

The Commission vote to issue the administrative complaint and accept the consent agreement package containing the proposed consent order for public comment was 5-0. Commissioner Rosch concurs with accepting, subject to final approval, the consent order for the purpose of public comment. The reasons for his concurrence are described in a separate statement.

The FTC will publish a description of the consent agreement package in the Federal Register shortly. The agreement will be subject to public comment for 30 days, beginning today and continuing through May 2, 2011, after which the Commission will decide whether to make the proposed consent order final. Interested parties can submit written comments electronically or in paper form by following the instructions in the “Invitation To Comment” part of the “Supplementary Information” section. Comments in electronic form should be submitted using the following Web link: https://ftcpublic.commentworks.com/ftc/googlebuzz and following the instructions on the web-based form. Comments in paper form should be mailed or delivered to: Federal Trade Commission, Office of the Secretary, Room H-113 (Annex D), 600 Pennsylvania Avenue, N.W., Washington, DC 20580. The FTC is requesting that any comment filed in paper form near the end of the public comment period be sent by courier or overnight service, if possible, because U.S. postal mail in the Washington area and at the Commission is subject to delay due to heightened security precautions.

Source: Federal Trade Commission, March 30, 2010.

“To me, that's not burdensome,” says Nissim. “Users want to have control over their information, and they want transparency.”

Congress Weighs In

Several representatives this month also introduced legislation, weighing in on the issue of privacy. On April 12, Sens. John Kerry, (D-Mass.), and John McCain, (R-Ariz.), introduced bipartisan legislation, “The Commercial Privacy Bill of Rights Act,” that would create the nation's first comprehensive privacy law.

The bill would require companies to provide consumers with an easily accessible method to opt-out if they do not want their information distributed to third parties. It also requires companies to seek user permission before collecting and sharing sensitive religious, medical, and financial data with outside entities.

Microsoft, eBay, Hewlett-Packard, and Intel issued a joint statement in support of the bill. “We have long advocated for comprehensive federal privacy legislation, which we believe will support business growth, promote innovation, and ensure consumer trust in the use of technology,” the statement said. “The complexity of existing privacy regulations makes it difficult for many businesses to comply with the law.”

The companies also praised the bill for being “technology neutral” and for making it easy to adapt to changes in technology.  “The bill also strikes the appropriate balance by providing businesses with the opportunity to enter into a robust self-regulatory program,” the joint statement said.

Nissim says the legislation is a “good starting point, but more needs to be done to safeguard consumer privacy.” 

On April 13, Representative Cliff Stearns (R-Fla.) and Jim Matheson (D-UT) put forward a similar proposal in the House, entitled the “Consumer Privacy Protection Act.” Both bills would be enforced by the FTC, include a self-regulatory ‘safe harbor' framework, preempt similar state laws, and exclude a private right of action.

Unlike the Senate bill, however, companies would not have to obtain user permission to collect sensitive personal information, including health and financial records. Rather, such data would be collected by default unless a consumer opted out.

Neither the Kerry-McCain bill nor the Stearns-Matheson bill requires ‘Do Not Track' mechanisms to limit the collection of personal information. However, two other bills—one pending in the House, the other in the California state legislature—do include such measures.

Most recently, California State Sen. Alan Lowenthal introduced a bill in the California state senate earlier this month that would restrict online tracking. Specifically, the bill would require the California attorney general and the California Office of Privacy Protection to issue regulations no later than July 1, 2012, requiring companies doing business in California to provide internet consumers with a method to opt out of the collection or use of any “covered information.” A hearing on that bill is expected April 26. Lowenthal's bill mirrors federal do-not-track legislation introduced in February 2011 by Rep. Jackie Speier, (D-Calif.).

Some companies, however, are steps ahead of any pending laws. Apple became the latest company to add do-not-track capabilities to its Safari browser. Microsoft and Mozilla have already implemented this feature in their latest versions of Internet Explorer and Firefox.

Google does not have a do-not-track mechanism, but does offer a Chrome add-on, “Keep My Opt Outs,” that offers the same capability. Consumer advocacy groups say that's not enough, and they are placing greater pressure on Google to put into place do-not-track mechanisms. Says Nissim: “There is more to be done.”

The FTC is accepting public comment on its settlement with Google until May 2.