April 4, 2013
Action will now turn to enforcement within each of the six countries. For the most part that action will focus on how Google’s policy affects European consumers. The inquiries may, however, also examine how Google’s policies affect their contracts with government clients who use cloud-based services. As Safe Gov expert Jeff Gould has noted, the logic of the CNIL enforcement action applies with equal force to government users.
As the inquiries move forward, the data protection authorities may ask whether existing corporate privacy policies are incorporated into government cloud service contracts. They may also ask whether the technological capability exists to implement privacy protections consistent with the EU Directive. At present the answers to these questions are unclear.
Several dangers lurk in the nascent enforcement actions. Inconsistent decisions across national boundaries would prove impossible for any corporation to comply with. In the interim, some observers are of the view that the enforcement action against Google may lead to its blacklisting by European governments for procurement. If this were to occur, there might be collateral consequences for Google on the other side of the Atlantic. Indeed, Federal CIOs and/or the FTC might ask many of the same questions that the European authorities will be asking.
And, finally, lest one think that the significance of this week’s action is limited, note that the precedent set in the enforcement action against Google will apply, with equal force, to other cloud service providers (like Microsoft and Amazon) who seek to do business in Europe. And, given the seamless nature of the network, the standards are also likely to set a minimum floor for privacy standards around the globe.
–Commentary by SafeGov expert Paul Rosenzweig, Chertoff Groupsafegoveu