Will the FTC Follow the EU's Lead in Protecting Digital Privacy?

The ICO's announcement was in conjunction with CNIL, which issued a press release on April 2, 2013 that stated: '[R]epresentatives of Google Inc. were invited at their request to meet with the taskforce led by the CNIL and composed of data protection authorities of France, Germany, Italy, the Netherlands, Spain, and the United-Kingdom. Following this meeting, no change (by Google to its Privacy Policy) has been seen.' Google Privacy Policy: Six European Data Protection Authorities to Launch Coordinated and Simultaneous Enforcement Actions. The CNIL further stated: 'The article 29 working party's analysis is finalized. It is now up to each national data protection authority to carry out further investigations according to the provisions of its national law transposing European legislation.'

How will this development affect Google? It means that French data protection authorities along with regulators in the UK, Netherlands, Germany, Spain and Italy may take joint legal action involving an investigation and possible fines into Google's privacy policy changes that enables it to combine the data it obtains from users across all of its digital services. See, 'Google Facing Legal Threat from Six European Countries over Privacy,' The Guardian. The ICO has the authority to levy fines of up to '500,000 for breaches of the Data Protection Act. The CNIL may fine an entity up to '300,000 ('255,000). While these fines may not be much of a deterrent to Google and/or other companies to stop allegedly violating European privacy laws, regulators may also sue to block a company from operating in Europe. If this route is taken against Google and/or others it may harm a company's ability to operate in Europe.'

Impact in the U.S.

How will the EU's continued privacy law investigations into Google's practices affect Google's users in the United States? When will the FTC follow the EU's lead and request more information about Google's updated privacy policies? While it is too soon to speculate on the FTC's next move, it would not be surprising if the FTC eventually investigates Google and others who change privacy policies to better enable the data mining of users' content.

The EU data protection authorities and the FTC must properly balance the personal privacy rights of citizens with the ability of digital companies to be able to continue to thrive and expand. Should Apple, Facebook, Google, etc., be allowed to collect, archive and utilize user data without any limits? Last December, there was a major outcry when Instagram (Facebook bought it last year for $1 billion dollars) changed its privacy policy so it would be able to better data mine/monetize the personal content of its users. See, 'What Instagram's New Terms of Service Mean for You,' NYTimes.com. Only after a very public uproar did Instagram reverse course on most of its proposed privacy policy changes. See, 'Instagram Reverts to Original Ad Terms After Uproar,' NPR.org; 'Instagram Responds to Outrage, Tweaks Privacy Policy to Limit Photo Use in Ads,' NBC News.com.

What if Instagram followed through with all of its planned privacy policy changes? Would users have any real recourse against the service absent deleting their account? Should digital platforms be able to change their privacy policies to enable them to better data mine their users' personal data at any time? Some digital services/platforms have become so intertwined in our lives (i.e., Apple, Facebook, Google, etc.) that users may be willing to agree to any updated terms to continue to participate.

Conclusion

The hold these social media and Internet giants have on a large portion of the public at large raises many questions as to government's role in protecting the public's privacy. It also shows the balancing act authorities must perform.

When Apple, Facebook, Google, etc., update their policies and these changes appear to erode personal privacy protections and enable more data mining that does not appear to be in the best interest of users, should regulatory authorities around the world, including the FTC, stop or modify these changes? If Google's privacy policy changes are not legal in Europe should they be legal in the United States? Should European digital users be afforded greater privacy protections than those in the United States?

Bradley S. Shear is a lawyer in Bethesda, MD, and an Adjunct Professor at George Washington University. A member of this newsletter's Board of Editors, he practices cyber and social media law, privacy and advertising law, and copyright and trademark law.' Shear advises state and federal lawmakers around the country on digital media law and public policy issues. He can be reached at www.shearlaw.com.

'

SPECIAL OFFER: Twitter, LinkedIn, Facebook and Google+ followers can get an online subscription to'Internet Law & Strategy'for only $299. Click'here, select Digital Only and use promo code'INLSOL299'at checkout.This offer is valid for new subscribers only.

'

Are Google's March 2012 privacy policy changes legal?'

This is a question that the European data protection authorities have been working on since Google first announced its intention to change its privacy policies in January 2012. See, 'Google to Update Privacy Policy to Cover Wider Data Use,' The New York Times. Soon after the announcement, France asked European data protection authorities to open an inquiry into the matter. See, 'Google Privacy Policy Changes Spark Europe-wide Inquiry,' The Guardian. In addition, U.S. Representative Edward Markey announced his intention to ask the Federal Trade Commission (FTC) whether Google's privacy policy changes were legal in the United States. See, 'Lawmakers Press Google on Privacy Policy Changes,' Reuters.com.

On April 2, 2013, the United Kingdom's Information Commissioner's Office (ICO) stated: '[T]he ICO has launched an investigation into whether Google's revised March 2012 privacy policy is compliant with the (European) Data Protection Act [European Data Protection Directive (95/46/CE)]. The action follows an initial investigation by the French data protection authority [Commission nationale de l'informatique et des libert's] CNIL, on behalf of the Article 29 group of which the ICO is a member. Several data protection authorities across Europe are now considering whether the policy is compliant with their own national legislation.' ICO Statement Regarding Investigation into Google Privacy Policy. The Article 29 Working Party investigated Google's privacy policy from March to October 2012. EU data authorities gave Google four months to comply with their recommendations.

The ICO's announcement was in conjunction with CNIL, which issued a press release on April 2, 2013 that stated: '[R]epresentatives of Google Inc. were invited at their request to meet with the taskforce led by the CNIL and composed of data protection authorities of France, Germany, Italy, the Netherlands, Spain, and the United-Kingdom. Following this meeting, no change (by Google to its Privacy Policy) has been seen.' Google Privacy Policy: Six European Data Protection Authorities to Launch Coordinated and Simultaneous Enforcement Actions. The CNIL further stated: 'The article 29 working party's analysis is finalized. It is now up to each national data protection authority to carry out further investigations according to the provisions of its national law transposing European legislation.'

How will this development affect Google? It means that French data protection authorities along with regulators in the UK, Netherlands, Germany, Spain and Italy may take joint legal action involving an investigation and possible fines into Google's privacy policy changes that enables it to combine the data it obtains from users across all of its digital services. See, 'Google Facing Legal Threat from Six European Countries over Privacy,' The Guardian. The ICO has the authority to levy fines of up to '500,000 for breaches of the Data Protection Act. The CNIL may fine an entity up to '300,000 ('255,000). While these fines may not be much of a deterrent to Google and/or other companies to stop allegedly violating European privacy laws, regulators may also sue to block a company from operating in Europe. If this route is taken against Google and/or others it may harm a company's ability to operate in Europe.'

Impact in the U.S.

How will the EU's continued privacy law investigations into Google's practices affect Google's users in the United States? When will the FTC follow the EU's lead and request more information about Google's updated privacy policies? While it is too soon to speculate on the FTC's next move, it would not be surprising if the FTC eventually investigates Google and others who change privacy policies to better enable the data mining of users' content.

The EU data protection authorities and the FTC must properly balance the personal privacy rights of citizens with the ability of digital companies to be able to continue to thrive and expand. Should Apple, Facebook, Google, etc., be allowed to collect, archive and utilize user data without any limits? Last December, there was a major outcry when Instagram (Facebook bought it last year for $1 billion dollars) changed its privacy policy so it would be able to better data mine/monetize the personal content of its users. See, 'What Instagram's New Terms of Service Mean for You,' NYTimes.com. Only after a very public uproar did Instagram reverse course on most of its proposed privacy policy changes. See, 'Instagram Reverts to Original Ad Terms After Uproar,' NPR.org; 'Instagram Responds to Outrage, Tweaks Privacy Policy to Limit Photo Use in Ads,' NBC News.com.

What if Instagram followed through with all of its planned privacy policy changes? Would users have any real recourse against the service absent deleting their account? Should digital platforms be able to change their privacy policies to enable them to better data mine their users' personal data at any time? Some digital services/platforms have become so intertwined in our lives (i.e., Apple, Facebook, Google, etc.) that users may be willing to agree to any updated terms to continue to participate.

Conclusion

The hold these social media and Internet giants have on a large portion of the public at large raises many questions as to government's role in protecting the public's privacy. It also shows the balancing act authorities must perform.

When Apple, Facebook, Google, etc., update their policies and these changes appear to erode personal privacy protections and enable more data mining that does not appear to be in the best interest of users, should regulatory authorities around the world, including the FTC, stop or modify these changes? If Google's privacy policy changes are not legal in Europe should they be legal in the United States? Should European digital users be afforded greater privacy protections than those in the United States?

Bradley S. Shear is a lawyer in Bethesda, MD, and an Adjunct Professor at George Washington University. A member of this newsletter's Board of Editors, he practices cyber and social media law, privacy and advertising law, and copyright and trademark law.' Shear advises state and federal lawmakers around the country on digital media law and public policy issues. He can be reached at www.shearlaw.com.

'