Europe’s Data Protection Authorities have made a bold new move in their long-running fight to compel changes in Google’s controversial privacy policy. After repeated warnings that the policy violates the rights of European users and persistent indifference from Google, six of the 27 members of the EU’s Article 29 Working Party of national Data Protection Authorities – including France, Germany, the UK, Italy, the Netherlands, and Spain – have decided to pursue enforcement measures against Google under their respective national laws. At stake is Google’s ability to continue deploying in Europe its business model of offering free or low-cost online services in exchange for users’ personal information. However, the biggest impact of the DPAs’ move may come not in the consumer market, but in the lesser-known market for online services used by organizations such as governments and schools.

The DPAs’ Strategy: United We Stand

It’s been a year now since the Article 29 Group first launched its investigation of the Google privacy policy. The issue for the Group has always been that the enforcement powers of its members are relatively weak, which allows Google to ignore its demands without fear of consequences. While the powerful European Commission (currently investigating Google for abuse of dominant position in the search market) can inflict fines of up to 2% of a firm’s global turnover, the DPAs are limited to the much smaller fines authorized by their respective national laws. But the DPAs have thought long and hard about how to maximize their strength. Their response has been to act as a unified team in which the stronger members take the lead, while all members have a say in the strategy and offer support.

The stakes for both sides are high. The DPAs risk a lasting loss of credibility. If they come away from this battle empty handed, no multinational firm will fear them again. As for Google, while the revisions that the DPAs seek in the firm’s privacy policy would likely not have a dramatic impact on its consumer advertising business, they could force a fundamental change in the way it sells its email and online collaboration services to institutions like governments, companies and schools.

Europe Isn’t Trying to Destroy Google’s Business

Google’s business model relies on data mining users’ online content and behavior to target them with the most “relevant” possible ads – meaning the ads most likely to produce a monetizable click. The DPAs want Google to be more explicit in spelling out the bargain by which it offers consumers “free” services in exchange for a deep look into the users’ personal behavior and preferences. In effect, users are paying for Google’s services with the coin of privacy, and the Europeans are insisting that Google disclose the true cost of this transaction as well as offer users the right to refuse it. Such disclosure might seem to threaten the very foundations of Google’s consumer advertising business. After all, surveys have repeatedly shown that consumers find the idea of being tracked by online ad companies creepy. But the reality is that the vast majority of consumers – in Europe and elsewhere – are likely to accept the terms of Google’s bargain if given proper notice and the chance to control how much personal information they share with advertisers. A privacy policy revised along the lines requested by the DPAs would not demolish Google’s business model, at least not in the consumer space.

The Biggest Impact could be on Google Apps, not Search

However, there is another market in which disclosing the true cost of “free” or partially subsidized online services could very well put an end to the search firm’s current business model, and that is the market for services that are provided not to individual consumers, but to the membership of entire organizations. This market contains some particularly sensitive user populations whose privacy requires special protection. Two critical examples are civil servants employed by local or national governments and children in schools. Google is aggressively targeting governments and schools on both sides of the Atlantic with free or subsidized versions of its Google Apps offering, a bundle of email, collaboration and other services hosted in Google’s data centers. Google has also slyly incorporated its consumer privacy policy into the contracts it offers for these services. But the French Data Protection Authority (CNIL) in its report on Google’s privacy policy (issued on behalf of the Article 29 Working Party last October) found that such collective entities may not have the power to consent to a privacy policy on behalf of their individual members – be they employees, civil servants or school children.

The implicit premise of the business model behind Google Apps is simple. Organizations receive these services at very modest or even no cost in exchange for Google’s right to exploit user content to improve its ad-targeting abilities, just as the firm’s standard consumer privacy policy allows. In effect, Google is inviting organizations such as governments, enterprises and schools to acquire email and online collaboration services at artificially low prices by paying with the coin of their end-users’ privacy. If the Article 29 Working Party overthrows this model by requiring Google to remove its consumer privacy policy from its contracts, Google’s only alternative might be to adopt the more conventional model of selling its services for a price that reflects their true value rather than giving them away in exchange for information.

The DPAs have made it clear that they will not accept purely cosmetic tweaks to Google’s privacy policy. Google’s strategy until now has been to repeat tirelessly that it is already obeying the law and doesn’t understand what the fuss is about (one is reminded of the Alec Guinness line in Star Wars – “those aren’t the Droids you’re looking for”). But the DPAs are demanding that Google actually implement the EU’s requirements rather than merely pay lip service to them. The DPAs persistence over more than a year of joint investigations (led by France’s CNIL, but with close cooperation from other Article 29 Working Party members) and their willingness to put aside individual differences suggests that they are determined not to yield to Google’s intransigence. Their concerted action is unmistakably intended as a dry run of the formal DPA coordination mechanism built into the future EU Data Protection Regulation, which will replace the 1995 Directive and is now under debate in the European Parliament and Council.

Both Sides are Playing for Time

This brings us to a key subtext behind the Article 29 Working Party’s latest action against Google. Today we are witnessing what the French call a “bras de fer” – an “arm of iron” or arm-wrestling match – between two opponents determined to apply all the force they can muster to drive the other to concede. But at the same time we are watching a game of chess, where the players make crafty moves that they hope will encircle the opponent and seize a victory by surprise. While the enforcement battle between Google and the DPAs is taking place in full public view, the second game is taking place in meetings of both the European Parliament and Council. The object of this game for Google is to change the greatly strengthened European privacy rules in the new Regulation before they can be used against it. The object for the DPAs is to hang on long enough for these rules to come into effect, at which time their ability to extract concessions from Google will be greatly enhanced.

Away from public view, Google and its allies are engaged in a stealthy but ferocious battle to strip the future Data Protection Regulation of the powerful new enforcement mechanisms built into it by its authors at the European Commission. The prime target of this effort is the provision which would allow national DPAs to inflict fines on violators of up to 2% of world turnover – the same as the current anti-trust powers of the Commission. This lobbying effort has produced angry pushback from both the Commission and the DPAs as well as a wide range of EU opinion leaders (the latest group to protest is an association of European academics). But at the moment it is very difficult to get a clear picture of who is winning the battle of amendments. We will have to wait until we see the final version of the Regulation submitted for a vote to the Parliament in late May and for the Council general approach, which should be adopted in early June, paving the way for trilogue negotiations between Commission, Parliament and Member States. In the meantime, regulators, online service providers and privacy advocates around the world will be closely watching the cautious but determined efforts of Europe’s Data Protection Authorities to reign in the market power of the world’s largest advertising firm.

–Commentary by SafeGov expert Jeff Gould

Author :