Mark Leiser: I am a PhD Candidate in Cyber Law at the University of Strathclyde in Glasgow. I have written submissions for the Leveson Inquiry into the culture and ethics of the media and for the Scottish Parliament on the use of social media during trials. My PhD is supervised by Professor Andrew Murray at the London School of Economics and focuses on the effectiveness of cyber-regulation. My research and interests revolve around main areas of Internet law and policy including internet governance & regulation, democracy, social media, privacy, and intellectual property. My PhD research focuses on developing a system of modelling to measure the effectiveness and legitimacy of Internet Regulation. I write in a personal capacity.
Google appears to have managed to avoid a costly fine in Europe where the Competition Commissioner Joaquín Almunia was investigating the company for antitrust practices related to its local Search business, after a third settlement offer was apparently accepted by the EU. However, due to the secrecy surrounding the event, several members of the European parliament (MEP) have already cast their doubts over the deal.
Visitors to the French site were greeted by a notice informing users that "the CNIL has fined Google €150,000 for violating the law on “information and freedoms,” said the notice. “The decision can be accessed at the following web address,” it said, providing a link.
France is not the only European country unhappy with Google’s approach to personal data management. Spain, the UK, Germany, Italy and Holland have all opened proceedings against the search engine giant. Uniform throughout every dispute is the belief that Google has breached data protection rules over how personal data is processed and stored.
In the UK, the Information Commissioner Office (ICO) has taken issue with the way that Google collects data across the various Google services like YouTube, Gmail and Google+. Previously each one of Google’s products and services had its own privacy policies, and in most cases there was an ability to opt out of the data collection that Google operated. However, last year Google streamlined all of their privacy policies into one policy without any opt-out provision.
The French counterpart to the ICO, the CNIL (National Commission on Informatics and Liberty), is empowered with responsibilities for implementing the European Union’s data protection laws in France. The CNIL had originally demanded that the notice stay on Google’s home page for 48 hours, but after the links appeared; the CNIL website was overwhelmed with traffic and crashed with users trying to read the background story posted on the CNIL site.
Google had appealed against the CNIL fine and the sanction demanding that Google post a notice on the google.fr page. The Conseil d’Etat had ruled that there was not enough urgency to warrant a suspension of the sanctions. Effectively, Google could win the appeal after having to accept the sanction imposed by the CNIL.
CNIL argued that the 150,000 Euro fine was justified: “the company does not sufficiently inform its users about the conditions and purposes of processing data” and that “it does not set retention periods for all data process” and that “it allows, without any legal basis, the combination of all the data it collects about users across all of its services”.
This is not the first time Google has been slapped with a fine due to privacy disputes. In November 2013 , the company was fined $17m to settle its case with 37 American States after it circumvented the privacy settings in the Safari browser in order to place advertisement cookies.
Germany fined Google 145,000 euros for the systematic and illegal collection of personal data while it was creating its Street View service, calling on European lawmakers to increase fines for violating data protection.
The European Commission is in the process of developing new and tougher regulations on internet services that would force them to introduce more end-user control. The European proposal on data protection of 2012 (‘the proposed regulation’) is to replace Directive 95/46/EC of 1995 which is said to be outdated – in particular in regards to the way the internet helps contribute to the mass collection of personal and sensitive data. Some notable provisions of the proposed regulation include: the definition of a ‘data subject’ (to mean an identified or identifiable person by means likely to be used); a strengthened ‘right to be forgotten’ (such that individuals can ask for their personal data to be deleted and where there are no legitimate grounds for retaining it, the data will be deleted); right of data portability; requirement for consent to be given explicitly by individuals when it is required for certain types of data processing.
Google made a $10.7bn profit in 2012.
Do you have a strong opinion on a topical industry issue? To submit a comment piece, please send a short summary of your idea to firstname.lastname@example.org. Views of writers are not necessarily those of The Drum.