By Bradley Shear, Law Office of Bradley S. Shear

The CNIL, France’s independent administrative authority that ensures that data protection law is adhered to by companies doing business in France recently ordered Google to comply with the French Data Protection Act within three months or face sanctions for non-compliance. According to Reuters, the CNIL stated that Google has broken French law and that it has until the end of the three months to change its privacy policies or it may be fined up to 150,000 euros. Reuters also reported that Spain’s Data Protection Agency (AEPD) may fine Google between 40,000 and 300,000 euros for each of its five violations of the Spanish Data Protection Law.

The allegations that Google has violated data protection laws throughout Europe is extremely serious and unfortunately not surprising. Google’s January 24, 2012, announcement that as of March 1, 2012, it would change its web sites’ privacy policies to enable it to combine all of the information that it collects about its users to enhance its data mining capabilities created so many questions about its legality that before it even went into effect, France’s data protection authority, the CNIL, notified Google on February 27, 2012 that it would lead a coordinated European investigation into the matter.

In October 2012, the European Union Data Protection Agency issued a report alleging that Google’s new privacy policies failed to comply with its data protection laws. This report was endorsed by privacy regulators in 27 EU member states along with Australia, Mexico, New Zealand and Canada. Since this report was issued, the EU has provided Google the opportunity to either prove that its privacy policy change complies with EU data protection laws, revert to its old privacy policies, or propose another solution that would adhere to EU data protection laws.

Unfortunately for Google’s users, it has continued to claim that its March 1, 2012 privacy policy change does not violate EU data protection laws even though regulators across the continent have concluded otherwise. Since Google announced that it would change its privacy policies, Internet users have begun to demand that legislators along with regulators better protect personal digital privacy.

Privacy legislation, regulation, and enforcement is on the rise. For example, since May 2012, at least 36 states along with Congress have either introduced and/or enacted privacy laws that generally ban employers and/or schools from being able to require access to their employees’ and/or students’ personal digital data stored in the cloud. Late last year, U.S. Senator David Rockefeller opened an investigation into the practices of nine data brokers which may have led the FTC to study this issue. The recent NSA digital surveillance disclosures have proven that Internet users deeply care how their personal information is being utilized by the companies that are entrusted with their digital thoughts, correspondence, and information.

With access comes responsibility. Google has demonstrated time and time again that it and/or its employees may abuse its position as a gatekeeper of personal information. For example, several years ago, PC Magazine reported that a Google engineer was fired for accessing the Gmail and Google Voice accounts of minors and taunting children with the personal information he found. Last year, Google paid a record $22.5 million civil penalty to settle FTC charges that it misrepresented to users of Apple’s Safari Internet browser that it would not place tracking “cookies” or serve targeted ads to those users, violating an earlier privacy settlement with the FTC. Several months ago, Google was fined 145,000 euros in Germany for what Hamburg data regulator Johannes Caspar stated was “one of the biggest data protection rules violations known” when it collected the personal e-mails, passwords, and photos of Internet users during its Google Street View project.

Why isn’t breaching data protection laws not considered as serious or troubling as breaking anti-trust laws? Violating the privacy of a digital user, whether a minor child or an adult, creates significant personal safety issues. For example, if an employee of a company that accumulates vast amounts of personal data about its account holders utilizes his position to harass and/or blackmail its users there are tremendous personal privacy, safety, and legal issues that need to be properly addressed.

While anti-trust violations may be detrimental to individuals, businesses, and society; in general, the greatest harm that may occur is that someone may pay more for a good or service than they otherwise would have and/or potential competition may be stifled. Therefore, since privacy violations may create greater personal safety and security issues and may do more harm to members of society than anti-trust violations, why isn’t the punishment for privacy violations at least equal if not greater than the punishment for anti-trust violations? Why are anti-trust violations generally punished much more harshly than privacy violations?

Will EU regulators investigate whether Google’s privacy policies affect how it presents its Internet search results? What if Google’s data mining capabilities that appear to have been greatly increased because of its privacy policy changes is a major factor in its alleged monopolistic behavior in the European Internet search market? Have the potential interconnection of these issues been thoroughly investigated by European regulators?

Data protection authorities across Europe appear ready, willing, and able to take action against Google in three months. If Google hardens its position and continues to refuse to acknowledge that its privacy policy change puts the personal privacy of its users at risk and violates EU data protection laws, this stance may lead to not only sanctions against Google, but also to increased scrutiny of the privacy policies of other U.S. based companies.

Author :