Europe data regulators have apparently had it with Google.
After years of Google stonewalling governments on the so-called wi-spy scandal around Google snooping on individual data in homes using Street View vehicles and then, last year, changing its privacy policies without getting consent from its users, a taskforce of six European government data agencies announced this week that they were going to launch new enforcement actions against Google over violations of European privacy law. And European legislators may tighten the continent's privacy laws specifically to deal with Google.
As France's National Commission for Computing and Civil Liberties wrote in an e-mailed statement, Google has defied European regulators in implementing privacy policies violating privacy laws and, when questioned on those actions, provided "often incomplete" information. France is joined by Great Britain, Spain, Germany, Italy and Holland in this stepped up enforcement.
The final straw for European regulators was the decision by Google that when a user used any service of Google's, information about that user would be available to advertisers on any other Google service for targeting ads. So if you watch a YouTube video on your phone, the ads you see would use your Google search habits, emails sent in your Gmail account and your location tracked by Google Maps to decide which ad you see. Google refused to allow users the right to keep data from different services from being combined into an integrated profile for those advertisers, despite the change in policy requiring consent by users under European law, according to the data protection agencies.
The stonewalling of regulators by Google on exactly how that new integrated profiling of users on behalf of advertisers would work finally pushed European regulators to take legal action after hoping over the last year to negotiate a voluntary deal with the company. But then the data protection agencies are used to stonewalling by Google after the Street View wi-fi evesdropping -- which Google initially denied was happening, then denied any personal data was collected, and then refused to share what data had actually been collected by Google. This is a similar experience to the U.S., where the Federal Trade Commission had a similar experience with lack of cooperation by Google over the wi-spy issue, eventually fining Google for "willfully obstructing" the FTC's investigation. That itself followed a far more substantial half a billion dollar fine (yes, that's b for billion) by federal prosecutors for assisting illegal pharmacies to market ads on Google, even after promising to stop the practice for years.
The question is what those data regulators can do to force Google to change its illegal actions? The level of fines available to European data regulators is notoriously low -- Google is facing official fines probably on the order of tens of thousands of dollars, or minutes of profit lost for the behemoth. However, European privacy advocate Simon Davies argues that there are "unexplored areas" of EU data protection laws allowing regulators to intervene in the operations of a company violating privacy laws. Those regulators could even "shut down Google services" if the company doesn't change its policies.
And if the regulators decide they lack the necessary enforcement tools, the EU Justice Commission Viviane Reding said this week that the European Parliament and member states "will strengthen Europe's enforcement tools in the course of this year" as necessary to stop Google's violations of privacy law.
With new laws in place in Europe to toughen enforcement, Google may have to substantially change its operations to give consumers more control over what personal data Google can use in targeting ads and how it combines data across its various services.
The question is whether we are likely to see similar action by regulators here in the United States. While the Federal Trade Commission gave Google a pass on antitrust concerns back in January, Commissioner J. Thomas Rosch in a partial dissent from the decision criticized Google for seeming to use "half-truths" in gaining consumer consent for "gathering of information about the characteristics of a consumer" for the benefit of its advertising clients. While privacy law in the U.S. is substantively weak, federal regulators and state attorneys general have quite strong enforcement tools in taking on deceptive practices aimed at consumers.
Even more powerful would be various state attorneys general coordinating investigations with European data protection counterparts to challenge Google and other privacy-destroying social media companies to clean up their acts and strengthen protection of user privacy rights.
At least in Europe, 2013 looks to be the year for action. Hopefully, U.S. regulators follow Europe's lead.