How Google lost the trust of Europe’s data protection authorities
The days of teensy fines may be over for Mountain View
Opinion Over the last two years, various European data protection commissioners have taken action against Google. Hardly a month goes by without something being reported: a €145,000 (£121,000, $189,000) StreetView fine here or a court case about jurisdiction there.
So it is important to understand: “Why is Google on the receiving end all this enforcement action?” Why now, and not five years ago? What has changed?
From Europe’s data protection commissioners' perspective, there is a collective recognition that Google has given them the equivalent of the two fingers. Despite a lack of powers and resources, (and even though, for example, a maximum fine of £500,000 is a pinprick to an organisation whose profits are running at more than £8bn per year), the commissioners have collectively concluded that not to take action is not an option.
From Google’s perspective, I don’t know whether it is “carelessness” or “arrogance” or a combination of the two. “Carelessness” because data protection regulators generally try to reach some kind of compromise; so why can’t Google compromise? “Arrogance” because Google might have taken the view that it is such a rich, powerful and profitable multinational that it can process personal data despite the concerns of national data protection regulators (and if there is a dispute, tie them down in court processes that wipe out their legal budget).
'Faustian pact' and increasing surveillance
Five years ago, there was an acceptance by most internet users that the free access to services offered by Google involved an undeclared "Faustian pact". The user received the services for free and in return Google captured some data that assists something called “behavioural advertising”.
At that time, the user did not care much because - what the heck - the internet experience was really valuable and of course, the internet got better by the day. The pact was sustained in the knowledge that free access to the internet was (and still is) the main delivery vehicle for uncensored information into authoritarian regimes.
Of course, at that time also, there were a collection of “privacy nutters” bleating on the side-lines, identifying a host of hypothetical or far-fetched problems. For instance, the StreetView images of anonymous individuals (but identifiable to those who know that individual) entering a sex shop or, more recently, receiving a hand-job in the back streets of Manchester. I guess that such images caused more general amusement than concerns over individual privacy – after all the user was not looking at himself or herself.
However, over time, there has been dawning realisation that Google’s surveillance does indeed focus on each and every user; Google follows surfers around the net, wherever they go, whether they are logged into a Google service or not.
As Google’s “free” services expanded and the internet developed, this pact resulted in an unrestrained collection of more data about its users. This in turn resulted in a virtuous (or vicious) spiral; a booming business that needs more and more user data to guarantee higher and higher revenues from advertising.
That is why Google’s mission statement is all about data collection: it states that “Google’s mission is to organise the world’s information and make it universally accessible and useful”. Want a “scary version” of this statement? Just place the word “personal” before the word “information” and ask “accessible by whom?” or “useful for what?”.
It is no surprise that Google’s vast personal data collections are acting as a magnet for other forms of surveillance activity. That is why Governments want access to how the public uses the Internet so that law enforcement can obtain IP addresses and details of browsing habits. The collection and subsequent retention of such personal data concerns all users irrespective of whether or not there are grounds for suspicion for its retention.
The privacy issue here can be simply expressed: the grounds for suspicion about an individual user do not arise before the time of collection of IP addresses etc. Such grounds are found afterwards when the authorities, in some back office and at some time in the future, try to find a “wrong-un”. If a profiling algorithm is used, then any suspicion is likely to be based on a pre-programmed set of assumptions. In this way, the data that Google (and others) collect turns every user into a potential suspect.
Application of the Reagan doctrine
Even with its own privacy pronouncements, Google has been accused of being “economical with the truth”. For instance, what Google told the Information Commissioner in July 2011 was that the Wi-Fi data collection by its StreetView Camera cars was accidental.
By contrast, a Federal Communications Commission (FCC) report into the same problem made it clear that Google intentionally intercepted such Wi-Fi data for business purposes and that many supervisors and engineers within the company reviewed the code and the design documents associated with the interception. That is why the Federal Communications Commission imposed a $25,000 fine in April 2012.
However, I think the most damaging conclusion was that Google impeded the FCC investigation by “delaying its search for and production of responsive emails and other communications, by failing to identify employees, and by withholding verification of the completeness and accuracy of its submissions”.
So when Google says something about privacy, how do we know that it is kosher? That is why European data protection commissioners are pushing their equivalent of the “Reagan doctrine” at every turn: “Trust but verify”.
The CNIL’s concerns (still unaddressed) were that Google:
- did not provide retention periods and has refused to provide retention periods;
- has not provided sufficient information about its personal data processing;
- should reinforce users' consent offer an improved control over the combination of data by simplifying and centralising the right to object (opt out);
- should allow users to choose for which service their data are combined;
- should adapt the tools that its various data combinations remain limited to the authorised purposes, eg, by differentiating the tools used for security and those used for advertising; and
- should avoid an excessive collection of data.
Google definition of “Personal information”. This is “information which you provide to us which personally identifies you, such as your name, email address or billing information, or other data which can be reasonably linked to such information by Google".
UK Act definition of “personal data”. This "means data which relate to a living individual who can be identified: (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller…”
Now suppose Google has collected an IP address. To satisfy its definition of personal information, that IP address requires identification of an individual from “other data which can be reasonably linked to such information by Google”. By contrast, the Data Protection Act requires merely that the identification information to be “in the possession” of Google (ie, there is no requirement to “reasonably link” the identifying information with the IP address as per the Google definition).
Note also that the UK definition merely requires the identification information to be “likely to come into the possession” of Google. By contrast again Google’s definition needs the data to be under Google’s control and an actual linkage to the specific individual.
It now can be seen, that the Google definition is far narrower than the 1998 Data Protection Act. How then does the UK’s Information Commissioner know that Google has complied with that Act, if Google does not provide the details such as those requested by the CNIL?
The “Starbucks effect” (and the Boston Tea Party)
The press report that Google employs more than 1,300 people in London and Manchester, generates £2.5bn of UK sales and pays corporation tax of £6m or so. This latter figure implies its UK profits are of the order £30m per year.
This crude analysis shows that Google is, in effect, another “Starbucks”. It generates hundreds of millions of pounds of revenues in the UK and pays disproportionately little Corporation Tax. Of course Google pay VAT and their UK employees their PAYE, but in general the public can now categorise Google as another large organisation evading their fair share of tax. The prime minister’s dictum that “we are all in this together” clearly excludes Google from the “we”.
It follows that when Google take the high moral ground in support for notions of freedom of speech, this does not extend to the facts that allow such speech to be informed in the context of its own tax affairs. In summary, any future public pronouncement by Google about “freedom” should be accompanied with a great deal of cynicism.
Then there is the unprecedented lobbying from USA companies like Google concerning the content of the Data Protection Regulation. The idea that corporate America can employ its financial muscle to influence Europe’s Parliamentary processes and laws should make everyone feel very uneasy. What do you think would happen if Europe’s corporate giants started lobbying the USA Senate about gun control or abortion or taxation? They would quickly be told where to go.
Indeed, Google’s involvement presents a historical curiosity. In 1773, the cry at the Boston Tea Party was: "No taxation without representation".
Google’s version of this is: “Full representation without taxation".
CNIL’s Google links
This story originally appeared at HAWKTALK, the blog of Amberhawk Training Ltd.