Remember the Google new one-size-fits-all privacy policy [a single privacy policy that regulates all Google’s services] that we went
through earlier in class? This policy is now under attack in
Europe.
On April 2nd, 2013, six countries in the European
Union–UK, France, Germany, Spain, Italy, and Netherlands– announced a joint
action against Google’s new privacy policy. The EU data protection
authorities claimed that the new privacy policy does not allow users to figure
out what information is kept, how it is used by Google’s various services, and
how long are these privacy data kept. EU authorities demand Google to specify
those issues and put up a simpler presentation of the privacy policy.
Does Google care about this action? Definitely. The fines have limited
effect to Google but the public relationship can seriously damage Google’s
business. Google’s annual revenue in 2012 is $50 billion, and is projected
to be $60 billion in 2013. On the other hand, the maximum fine for a violation
of privacy policy in the EU is $1.3 million, and each EU member country would
probably impose additional
fines (but, in general, they are less than $1 million). Thus, the fines are not likely to raise any significant concern to Google. However, the public relation effect is huge to Google. On the same day the EU action was announced, Alma
Whitten, Google’s first privacy director, stepped down after three years in
the job.
What defense does Google have? Theoretically, Google can
defend itself by claiming EU-US safe harbor.
EU-US safe harbor provides a streamlined and cost-effective means for US organizations to satisfy the EU privacy by complying to an “adequacy” requirement. The “adequacy”
requirement is a lower privacy standard comparing to the EU’s regular privacy
policy. The “adequacy” requirements are specified in seven areas: notice,
choice, onward transfer (transfers to third parties), access, security, data
integrity, and enforcement. In a nutshell, EU-US safe harbor is a reduced
privacy standard provided to US companies to operate in the EU. Interestingly,
Google’s privacy policy does explicitly mention that Google complies with
the EU-US safe harbor. Even more interestingly, Microsoft updated its privacy policy in April, 2013. On the first page of the new privacy policy, Microsoft posted a super big icon of "EU-US Safe Harbor", claiming compliance to it.
Learning from this event, it seems that the real “teeth” in
a governmental privacy action is not the fine, but the stigmatization: “you don’t respect our
privacy.” In my opinion, if Google decides to go to court, it will likely prevail on the EU-US safe harbor. However, here, Google's privacy director stepped down immediately without seeking justification from EU-US safe harbor. What do you think? Is the concern of stigmatization so strong that it de facto moots EU-US safe harbor? What benefit does the EU-US safe harbor offer in practice? Any other thought?
The unification had already occurred by summer, 2012, and I believe that the July 27th release was v.2. I think you're remembering the Bing policy:
ReplyDeletehttp://www.microsoft.com/privacystatement/en-us/bing/default.aspx
Thanks a lot, Will. You are correct.
ReplyDeleteI will try to answer myself. The EU-US safe harbor does not provide too many substantive benefits to giant corporations, such as Google and Microsoft, because they value public relationship much more than the cost to comply with the law.
ReplyDeleteHowever, the EU-US safe harbor can be very helpful to medium to small companies. These companies are less likely to value public relation as much as big corps. Thus, the EU-US safe harbor provides a useful low-standard, cost-efficient guideline to structure a privacy policy that satisfies both US and EU requirements.