“Googsoft!” – my shorthand for Google, Microsoft, and Yahoo! - are clearly trying the patience of Europe’s Data Protection Commissioners. Earlier in the week, the Commissioners reported these companies to USA’s Federal Trade Commission and to the European Commission claiming that Googsoft!’s privacy practices are unacceptable. Clearly these letters are intended to have later regulatory effect (see references for URL).
Yet the problem for Data Protection Commissioners is that the public have, without regard for their own privacy, lapped up Googsoft’s! free services. Indeed, we would not be where we are with today’s Internet unless Googsoft! had not led the way. That explains why the UK Commissioner is reported in the press as saying that he does not want to "declare war" on Google.
Having said that there is, on the part of Googsoft!, a collective refusal to accommodate the Commissioners’ common viewpoint on privacy. With respect to data retention, for example, Googsoft! first argued that it could retain data more or less indefinitely as personal data were not processed; then after cajoling a two year retention policy emerged; then followed by 18 months, then finally 6 months retention (but only for some users). At best, this slow progression illustrates a very grudging approach to the regulators whose job it is to protect individual privacy.
Street View has also played its role in reinforcing the image of a "begrudging attitude" mainly because Google claimed that Street View did not raise many privacy concerns because the Commissioners did not enforce the data protection rules. Behavioural advertising then followed – there again Commissioners’ concerns being set-aside based on the claim that as such advertising did not breach data protection rules so there was no privacy issue.
The equation of “no data protection issue” with“ no privacy issue” is, of course, complete rubbish. What has happened is that the Directive 95/46/EC’s definition of “personal data”, as implemented by most EU Countries, does not apply with absolute certainty to Googsoft’s! processing. In effect, Googsoft!’s processing is exploiting a loophole in the law that arises from the fact that those who framed the text of international data protection agreements (e.g. in the 1980’s) did not consider the full impact of the Internet because that impact was not apparent at the time.
For example, the loophole in UK data protection law rests on the fact that to be “personal data” there has to be identification of the data subject by the Data Controller, and that if identification cannot be done, then the processed information cannot be personal data. The Information Commissioner’s regulatory remit depends on personal data being processed:– so no personal data, no remit.
This loophole applies to many EU data protection laws with the result that Europe’s Data Protection Commissioners are working in an area where they might not have any powers to do anything. Googsoft! know this, of course, and are pushing the boundaries to maximise their revenue streams. (I should add that that is why I think this loophole can be plugged by the data subject providing the identifying details by following the procedure in “Reclaiming Privacy on the Internet” – see references and blog of 9th July 2009).
This impotence explains why Google’s Street View camera cars, which have been “inadvertently” collecting the contents of wireless communications from people’s unsecured wi-fi networks, has "hit the spot" with most Commissioners. Because most communications are between specific individuals, it is possible personal data have been processed.
As an aside, I must add that I have found the instructions of the UK Commissioner, as reported in the press, to be quite bizarre. For example, the Daily Mail (24th May) reported that “The UK Information Commissioner has told Google to delete the information” (as has the Irish Commissioner). It appears from these reports that the obvious question of whether there had been an unlawful interception of communications has not been asked.
Of course, there are arguments that any intercepted material might not be personal data, but it does not stop this question being asked. The UK Commissioner’s stance is akin to that of a policeman catching a shoplifter and the asking the shoplifter to quietly put the stolen goods back on the shelf.
The reason why I would push this lawfulness question (if I was in the regulator’s shoes) is not because I hate Google or because I want it punished or humiliated. It is simply because Google has a track record of ignoring Data Protection Commissioners, and I (if I was a regulator) would want some “leverage”.
Lyndon Baines Johnson (36th President of the USA) knew the importance of leverage. He once colourfully said of Senators that “If you got 'em by the balls, their hearts and minds will follow”; so it would be with Google if unlawfulness was being considered seriously! LBJ also advised: “I never trust a man unless I've got his pecker in my pocket”. This is also useful advice to follow if there were to be an agreed action plan where the regulator wanted assurance that it would be implemented properly.
At the end of the day, I think Googsoft! are providing free services and most people recognise they need to make some money in order to deliver such services. However that acceptance of economic reality does not mean that Googsoft! can ride roughshod over what are minimalist requests from Commissioners who are protecting the interests of data subjects. There is a balance to be found, and any balance means “give and take” on both sides. And my advice to Googsoft! is that now is an apposite time to indulge in some "significant giving”.
Why is that? Well Googsoft! should take account that Directive 2009/136/EC has to be implemented this year (this could require user consent for any behavioural advertising – see blog of 5th May 2010 ) and the Commission is looking to revise Directive 95/46/EC at the end of the year (this could modernise the definition of “personal data”).
So if Googsoft! do not compromise, there is a risk that continued intransigence could give rise to popular pressure to close a privacy loophole that these companies have relied upon for far too long.
Letters about Googsoft!: http://ec.europa.eu/justice_home/fsj/privacy/workinggroup/wpdocs/2010-others_en.htm
(b) Reclaiming Privacy on the Internet – 2009: This document describes how individuals can protect their internet browsing by engaging a data protection regime; IP addresses and URLs linked to user sessions can be transformed into personal data at any time by the user. The argument is based on the fact that data subject can easily provide the identifying details that transforms so called “anonymous data” (such as IP addresses etc) into personal data.