Following last month’s final meeting between Google and European regulators at which “no change” in Google’s attitude was seen by European Union (“EU”) regulators, at least five European countries began their own investigations into Google’s global privacy policy, promising coordinated enforcement action by summer.

But enforcement action against Google, and other global cloud companies, could come much closer to home. Google, Facebook, Microsoft, Amazon, and numerous other companies are part of the “Safe Harbor” compliance program managed by the US Department of Commerce and enforced by the US Federal Trade Commission (“FTC”). The Safe Harbor program enables companies, in order to lawfully export EU citizens’ personal data to the United States, to certify that they are in compliance with seven key EU privacy principles: Notice; Choice; Onward Transfer; Access; Security; Data Integrity; and Enforcement. EU regulators have already found that Google’s 2012-announced global privacy policy violates several of these principles.

The FTC, meanwhile, maintains its authority to sanction American companies falsely or deceptively (in FTC’s view) representing their compliance with these principles as part of the Safe Harbor program. FTC Commissioner Julie Brill recently touted prior FTC enforcement actions against Facebook, and others, for falsely representing compliance with the Safe Harbor Framework. At a recent conference in Europe, I listened to a senior FTC official implore EU privacy regulators not to significantly modify the EU-US Safe Harbor agreements as they provide a key jurisdictional “peg” for FTC enforcement of EU privacy principles against US companies.

FTC enforcement can be costly, including requirements for companies to allow independent monitoring of its privacy compliance for 20 years. So, connecting the dots: EU regulators have declared Google in violation of key privacy principles (and other cloud powerhouses are already, or soon will be, in the EU’s sights); such companies certify compliance with these principles in order to export data to the United States; and the EU regulators, at least in the case of Google, have implicitly found these compliance certifications to be untrue.

Will US FTC enforcement action against Google and others similarly situated in the future necessarily follow? Who knows, but it is likely the FTC will at least consider it. And Google — and other US IT giants operating in the EU — would be wise to remember that violations of EU privacy law can have consequences that go beyond the borders of the EU.

–Commentary by SafeGov expert Bryan Cunningham, Cunningham Partners LLC

Author :