Google - EU Privacy Dispute May Affect US Law

Imagine the following scenario: A powerful Chinese company acquires a 95% stake in the US market for search advertising. At the same time, it signs up millions of users for its free email service, a version of which is also adopted by many American schools.

The company then captures a commanding lead in the US smartphone market with an operating system that is free and ad-supported. Leveraging sophisticated data mining algorithms that monitor its users' online behavior, the Chinese company quickly builds a US business worth tens of billions of dollars per year, leaving its American competitors far behind. To support this business, the company builds several large datacenters in the US and hires thousands of local sales representatives. Thanks to a clever use of loopholes in US tax law, the company pays only a fraction of its US sales in corporate income tax.

Then one day the company announces a sweeping revision of its privacy policy, granting it the right to combine personal data collected from its user base to enable more accurate ad targeting. At this point, a small federal agency concerned with the enforcement of US privacy laws asks whether the Chinese Internet giant might temporarily delay the new privacy policy while the agency reviews its proposed policies. The agency makes clear that it is not challenging the Chinese company's right to pursue its profitable business model. It merely wants to ensure users have been properly informed and have consented to the public use of their data.

[A speech recognition tool raises new security and privacy questions. Read: Google Chrome Allows Eavesdropping, Researcher Claims.]

The company waves aside this request, and the agency is forced to initiate an investigation. After careful procedure and review, the federal agency concludes that the firm has violated US privacy laws. It fines the company $150,000 -- roughly what the giant earns every few minutes.

How does the Chinese Internet giant respond? It instructs its lawyers to inform the federal agency that American laws do not apply to it, because even though its datacenters are in the US, legally its services are provided from China by its parent company. The company decides it does not recognize US regulation standards.

You might think this scenario is implausible, especially in the US, but right now it is currently taking place in Europe. In fact, if we replace "Chinese company" and "US market" with "US company" and "European market," we can see a parallel scenario unfolding in the European Union's current dispute with Google over its privacy policy. 

For example, the French data protection authority recently fined Google €150,000 for its refusal to strengthen the user information and consent provisions in its privacy policy. Late last year, the Spanish data protection agency issued a €1 million fine on the same grounds. France and Spain are just two of six European countries that have been investigating Google's policy for the past two years. Further actions from these groups are likely in the weeks and months ahead.

It is easy to imagine that Europe's actions are little more than sour grapes over its inability to compete with American tech firms. However, the EU is not trying to stifle Google's success or that of any other US tech firm. On the contrary, European data protection regulators have stressed that their market is open to American firms -- even when these firms far outstrip their European rivals -- provided that they tell consumers candidly how their business models actually work.

Europe is trying to apply a set of basic privacy protections that it has carefully nurtured since the Second World War and that were inspired in part by the US Constitution's Fourth Amendment. We can be confident that EU data protection authorities will apply the same high level of scrutiny to Google's competitors. In fact, Facebook and Microsoft have already faced similar investigations, and Yahoo is likely not far behind. What's more, there are signs that Congress may emulate Europe's more rigorous approach to privacy. Senator Patrick Leahy's recently introduced Personal Data Privacy and Security Act, for example, is in many ways stricter than the EU's current laws.

There can be little doubt that Europe will ultimately prevail in its effort to persuade Google that it must recognize the continent's right to regulate its own market. But there is also little doubt that the innovative Internet industry pioneered by Google and its American rivals will go on dominating the European market for a long time to come. Google's leaders need only put a little water in their wine, as the French say, and learn that no company can be above the law.

Jeff Gould is CEO and director of research of Peerstone Research and a technology expert at SafeGov.org, an online IT forum dedicated to promoting trusted and secure cloud computing solutions for the public sector.

Private clouds are moving rapidly from concept to production. But some fears about expertise and integration still linger. Also in the Private Clouds Step Up issue of InformationWeek: The public cloud and the steam engine have more in common than you might think. (Free registration required.)