On April 2 the French privacy authorities (known by their acronym CNIL) announced that France, and the privacy authorities in five other European countries (Germany, Italy, the Netherlands, Spain, and the United-Kingdom ), had agreed to simultaneously begin enforcement actions against Google under their respective domestic privacy laws. The enforcement actions follow a months-long investigation of Google’s privacy policy to determine whether the policy met the requirements of the European Data Protection Directive. It also follows a 4-month delay in enforcement during which the European authorities had hoped Google would modify its practices. This decision is quite significant.

Action will now turn to enforcement within each of the six countries. For the most part that action will focus on how Google’s policy affects European consumers. The inquiries may, however, also examine how Google’s policies affect their contracts with government clients who use cloud-based services. As Safe Gov expert Jeff Gould has noted, the logic of the CNIL enforcement action applies with equal force to government users.

As the inquiries move forward, the data protection authorities may ask whether existing corporate privacy policies are incorporated into government cloud service contracts. They may also ask whether the technological capability exists to implement privacy protections consistent with the EU Directive. At present the answers to these questions are unclear.

Several dangers lurk in the nascent enforcement actions. Inconsistent decisions across national boundaries would prove impossible for any corporation to comply with. In the interim, some observers are of the view that the enforcement action against Google may lead to its blacklisting by European governments for procurement. If this were to occur, there might be collateral consequences for Google on the other side of the Atlantic. Indeed, Federal CIOs and/or the FTC might ask many of the same questions that the European authorities will be asking.

And, finally, lest one think that the significance of this week’s action is limited, note that the precedent set in the enforcement action against Google will apply, with equal force, to other cloud service providers (like Microsoft and Amazon) who seek to do business in Europe. And, given the seamless nature of the network, the standards are also likely to set a minimum floor for privacy standards around the globe.

–Commentary by SafeGov expert Paul Rosenzweig, Chertoff Group

Author :