In a well written article, DLA Piper attorneys discuss the AEPD’s decision to refer Google for criminal prosecution and to start the process to impose a 2.4 Euro fine.
[Full disclosure: I work for Microsoft, a Google competitor.]
I have two points to raise.
(1) At the Privacy Laws & Business conference in July 2010 in London, Peter Fleisher spoke several times. During one session, Peter gave examples of new technologies that would have significant privacy implications. He stated that these technologies were coming and that they would be used to their fullest extent. He then spoke about the regulators role in navigating the privacy implications fo these new technologies. It’s also worth nothing that the head of the Spanish AEPD was present as well. Immediately after his talk, several of the regulators took the stage. Christopher Graham took issue with Peter’s views. I remember thinking at the time that there clearly was a clash of viewpoints and that Google could suffer at the hands of regualtors as a result of the tone taken at the conference.
I would say my assessment was dead on given the AEPD’s actions
Having come from a heavily regulated industry, financial services, I can tell you unequivocally that taking a belligerent attitude with regulators is a sure way to end up on the wrong side of a press release and a fine. The choice is not between being combative and acquiescence, but instead between targeted by the government (and you can’t beat city hall) and working to build relationships and drive dialogue to prevent or minimize fines and bad press. When you undergo a series of fines, enforcement actions, or other significant bad press, radical change and transparancy is necessary to recover.
(2) Governance is critical to avoiding and/or getting out of this kind of trouble. If a company is faced with a litany of actions from regulators, you have to wonder whether the privacy professionals in that organization have any influence and whether there is any governance in place. Organizations that find themselves in this situation needs to do open heart surgery on their privacy governance program. And, its senior management need to get onboard quickly and in a big way. Your organization can’t afford a criminal action, nevermind two. You might be able to get out of one, maybe even two, but if the regulators want your head, they will get it eventually. Other regulators will smell blood in the water and start circling in these situations.
I am sympathetic to Google. I know that may privacy professionals look at Google and thinks, “There go I, but for the grace of God.” (If you are, it’s time to take a look at your governance and have a chat with your senior management.) I think Google received a lot of support for making information available to the masses. It must be confusing to feel this privacy backlash.
(3) Regulators need to be cautious in their approach to regulating new technologies and new uses for old technologies. There is tremendous economic benefit that can be reaped by businesses and individuals. Regulators do not want to squash innovation, particularly in the current economic climate. They are only harming their own people by making them less compentative and driving up costs. Don’t get me wrong, there is the other side of this equation, human rights and dignity, which is just as critical and which the regulators must balance against. But I would hate to see the regulators go too far and impede the great benefits that can be reaped here as well.
Also, I worry that data protection (in all countries, not just those located in Europe), can be used as an economic weapon, which is particularly tempting in difficult economic times. This would be a shortsited approach. I suspect it costs Google and Microsoft and any other cloud provider, a significant amount of money to maintain databases within Europe. Europe doesn’t want to see those jobs disappear overseas. At the same time, costs and inefficiencies remain unnecesarily high for European businesses. Regualtors need to be thinking strategically as well.