Why Google should be sweating about Europe’s privacy policy crackdown

A few months ago, Europe’s privacy authorities opened investigations into Google(s goog)’s unified privacy policy, which Google introduced at the start of 2012 to allow it to share data across its various services. The EU data protection authorities argued that this sharing went too far for many users, as people may not want YouTube views, search queries and Gmail keywords tossed into the same pot, and may not even realize that Google is doing this.
Now we’re starting to see action. The UK Information Commissioner’s Office (ICO) has ordered Google to make its privacy policy easier to understand and the data protection authorities in Germany have also begun proceedings against the company (Spain did the same on 20 June).

“Formal enforcement action”

Here’s what the ICO said:

“We believe that the updated policy does not provide sufficient information to enable UK users of Google’s services to understand how their data will be used across all of the company’s products.
“Google must now amend their privacy policy to make it more informative for individual service users. Failure to take the necessary action to improve the policies compliance with the Data Protection Act by 20 September will leave the company open to the possibility of formal enforcement action.”

In response to the actions taking place in the UK, Germany and Spain, Google’s merely trotted out the exact same line it’s previously used: “Our privacy policy respects European law and allows us to create simpler, more effective services. We have engaged fully with the authorities involved throughout this process, and we’ll continue to do so going forward.”
According to the authorities, none of this – perhaps barring the creation of simpler services – is true. The data protection officials in the Article 29 Working Party group specifically said Google had not provided satisfactory answers, and that the unified privacy policy was not compliant with EU law.

Unified policy, unified response

Thing is, the immediate enforcement action these authorities can take is relatively toothless, particularly for an adversary with deep pockets. We’re talking fines in the hundreds of thousands of euros – hardly enough to make a company like Google sweat. However, Google would be mistaken if it thought it could just brush off their concerns.
There are two reasons for this, the first being the ability of authorities such as ICO to go to the courts and seek a legal order forcing Google to change its ways. I know of no precedent in the UK for this, but the power is there and Google may find itself on the sharp end of it if the company carries on pretending there’s no issue.
The second reason may be more fundamental in the long term: we’re increasingly seeing data protection authorities coordinate their actions in response to companies, like Google, that operate on a cross-border basis. Although international laws do vary, this is even starting to happen at the global level.
Just look at the joint letter sent to Larry Page last month about potential privacy concerns around Google Glass. That letter was signed by data protection authorities from the EU, Canada, Mexico, Israel, Switzerland, New Zealand and Australia.
Privacy officials are clearly waking up to the concept of strength in numbers, not to mention the fact that they can respond more quickly to technological change by cutting down on duplicated efforts. It’s also much harder, even for a company with Google’s resources, to effectively lobby authorities that are all talking to one another.
There’s no question that a unified privacy policy helps Google run its business more efficiently. But it may just find its actions elicit a unified reaction that it would rather not face.