DATA PRIVACY: US SAFE HARBOR, NO CALM WATERS FOR GOOGLE

Uncategorized

In Spring 2012, Google completed its new privacy policy and implemented it throughout its product and services offerings worldwide.  The new privacy policy allows Google to collect, combine and share personal information obtained from its different products and services.  A court in Berlin, only last week, found Google’s privacy policy together with its terms of service, to be in violation of Germany’s data protection laws.  The German court raised a number of issues with Google’s privacy policy and terms of service, underlying each of the issues is the apparent lack of control users have over personal data collected by Google.

Now, the Dutch data protection authority is focused on Google’s practice of combining personal data collected from all sources.  The Dutch data protection authority claims that when Google changed its privacy policy it did not inform or obtain consent from users.  Google users must click acceptance to a general privacy policy and terms of service.  These general terms allow Google to make changes to the privacy policy and terms of service without obtaining further consent from its users.  This practice breaches Dutch data privacy law.  In addition, Google does not provide information to its users on what is being done with the personal data collected, including combining personal information obtained from multiple sources for undisclosed uses.

The Dutch data protection authority has not yet indicated what enforcement measures will be imposed.

Google’s data privacy troubles are not isolated to breaches of German and Dutch privacy laws.  Spain and France also have investigations and are calling for enforcement actions.  Google will have to change its privacy policy and terms of service to avoid further enforcement actions and penalties.  The US Safe Harbor is being carefully scrutinized to determine whether, following implementation of data privacy rules in 2014, self-certification under the program will be satisfactory.  Prior to implementation of the US Safe Harbor agreement, US data privacy laws, which differ from state to state, did not adequate data protection to satisfy the EU Data Protection Directive.  As EU data protection laws get tougher the US Safe Harbor will likely not offer the protection against enforcement actions, it once did.