Google’s recent settlement with the Federal Trade Commission should act as a stark warning to all organisations signing up to the Safe Harbor principles. In particular, it is set to have a huge influence on the way in which privacy policies are developed and amended.
Privacy policy violations
Last week, Google agreed to settle Federal Trade Commission (“FTC”) charges regarding breaches of the privacy policies that applied to its social network, Google Buzz. The FTC monitors organisations’ compliance with the US-EU Safe Harbor privacy principles, under which Google has agreed to operate. Of prime concern to the FTC when bringing the charges was Google’s failure to give users notice and choice before using their information for a purpose which was different from that for which it was initially collected.
Buzz launched in February 2010 and is a tool integrated into Gmail, the company’s mail service, which combines Facebook’s social networking features with Twitter’s micro-blogging capabilities. It was seen as a rushed attempt to make an appearance on the already crowded social networking landscape and attracted large numbers of privacy related complaints from users and regulators alike. In particular, users found that information provided through Gmail, including email contacts, suddenly became available to others through Buzz, without the user’s consent. As a result, and following further investigation, the FTC has found that the privacy policies Google had in place did not fully outline the scope of the service and intended use of personal data, and were wholly inadequate.
The Safe Harbor principles
The Safe Harbor principles were introduced in 2000, and allow US companies to self-certify adherence with EU data transfer standards. Participation is voluntary but compliance ensures that companies have standards in place equivalent to those found in the EU Data Protection Directive. Those companies can then safely receive personal data from EU based institutions. It should be noted that Safe Harbor is not available to US businesses in the financial services sector, and in these cases more stringent requirements will apply.
The Google settlement represents the first time that the FTC has charged a company with breaching the privacy requirements of the Safe Harbor framework. By confronting one of the largest aggregators of personal data in the world, the regulator has made it clear that, once signed up to the principles, no organisation is too large to escape the incumbent obligations.
The settlement
The terms of the settlement mean that Google’s privacy policy will be overseen and verified by a third party every other year for the next twenty years. This is a huge and lengthy commitment and, given the rapid development of data protection and privacy legislation, Google has no way of knowing exactly what it is agreeing to. In addition, the settlement will undoubtedly have an effect on other organisations, such as Apple and Microsoft, which have also signed up to the principles. These organisations may start to weigh up the potential administrative and financial burdens of complying with such a settlement, in the event that they too become subject to similar levels of FTC scrutiny. Ultimately this could lead to more organisations moving away from Safe Harbor and seeking alternative data transfer structures to operate under, such as the EU Model Clauses, for transferring personal data overseas.
In the remainder of the settlement, Google has promised not to misrepresent the way it deals with personal data, and to obtain explicit consent before sharing users’ information with other companies. While, to some extent, Google was an obvious target, the settlement should act as a deterrent to others and the FTC has said that they hope it will help to set privacy standards across the internet in years to come.
The future
All companies involved in the collection of personal data, including those seeking to benefit from Safe Harbor, need to have comprehensive privacy policies in place. The FTC’s decision has merely confirmed the current position: that when companies make privacy pledges they need to adhere to them. However, Google’s shortcomings have made it especially clear that full consideration must be given to the risks of not properly integrating the scope of all intended operations into privacy policies, and of any subsequent failures to inform consumers appropriately of changes to this scope.
Contribution was also made by James Besley a trainee at CMS Cameron McKenna.
