Google Faces Privacy Policy Challenges

Italian Regulator Demands Changes; U.S. Lawsuit Advances
Google Faces Privacy Policy Challenges

Google's move to adopt a single, unified privacy policy in 2012 continues to have legal repercussions for the search engine giant.

See Also: 2016 IAM Research: Where Financial Institutions' PAM Programs Are Falling Short

In Italy, the Data Protection Agency this week ruled that Google must now gain explicit permission from Italian users before creating a profile about them. Separately, a U.S. district court judge ruled that a class action privacy lawsuit against Google filed by users of devices running the Android operating system can proceed, despite Google's attempt to have the suit thrown out.

In its ruling, Italy's Data Protection Agency says Google must update its privacy policy and practices to obtain "express consent from users" when it comes to using their profile or personal information for marketing purposes, says Milan, Italy-based attorney Giulio Coraggio, a partner at DLA Piper, in a blog post. The ruling covers numerous types of information usage, including mining Gmails to serve targeted advertising, linking together information from different Google services, as well as collecting information related to authentication credentials or via fingerprinting technologies.

Google now has 18 months to comply with the ruling, and must provide a roadmap to the Data Protection Agency by the end of September.

While Google has yet to respond to the ruling, it says it's been closely following the investigation. "We've engaged fully with the Italian DPA throughout this process to explain our privacy policy and how it allows us to create simpler, more effective services, and we'll continue to do so," a Google spokesman says in a statement. "We'll be reading their report closely to determine next steps." Google says it will also meet the September deadline.

EU Investigations Ongoing

Google can expect further rulings based on its privacy policy changes from other EU member states. "The resolution issued by the Italian DPA - or Garante - is not an isolated action," but rather one of a number of Google-focused investigations currently being run by different DPAs across Europe, attorney Rocco Panetta, a partner at the law firm NCTM Studio Legale Associato in Rome, and the former legal head of the Italian DPA, tells Information Security Media Group (see EU Authorities Allege Google Violations). Those investigations are exploring whether Google's privacy policy change violated either the EU Privacy Directive or related national legislation.

The Italian DPA ruling follows the agency slapping Google with a ¬1 million ($1.4 million) fine in April over its Street View program violating Italian data protection rules, by capturing and publishing recognizable images of people. That followed similar - although less costly - fines in Spain and France. Legal experts say Google could still face further Street View fines in Italy over its sniffing of unencrypted Wi-Fi communications.

Balancing Privacy, Business

But Italy isn't singling out Google or applying undo pressure, experts say. "On the contrary ... the present resolution, although it is very prescriptive and mandatory, at the same time does not impose any sanctions," Panetta says of this week's DPA ruling. Instead, it highlights that Google has been breaking Italian law via its lack of notice and consent for its profiling activities, and requires related changes.

The ruling won't just apply to Google. "I would expect that negotiations will start soon on how to find solutions also for other businesses relying on big data and behavioral advertising," says DLA Piper's Coraggio. "However, pending such negotiations, the risk is that the Italian DPA will start sanctioning operators that do not provide adequate information to users and obtain their prior consent to the profiling of their data for marketing purposes."

U.S. Lawsuit Advances

Google's 2012 privacy policy change also led to the filing of a U.S. class action lawsuit by users of devices running the Android operating system in March 2012, who argued that Google's new policy violated consumers' privacy rights. But a federal judge dismissed their initial complaint, saying the plaintiffs hadn't presented enough facts to substantiate their case. The judge, however, allowed the plaintiffs to amend the complaint. Two later amendments to the lawsuit updated it to make further accusations.

Google recently moved to dismiss the lawsuit entirely, but failed to secure a decisive victory, with U.S. District Court Magistrate Judge Paul Singh Grewal issuing a 28-page decision July 21 that allows parts of the case to proceed.

"Like Rocky rising from Apollo's uppercut in the 14th round, plaintiffs' complaint has sustained much damage but just manages to stand," Grewal writes. "The court grants the motion, but only in part."

Grewal dismissed the "Android Device Switch Subclass," which claimed that Android users incurred extra costs as a result of switching, after Google changed its privacy policies, to a non-Android device. But the judge is allowing two other claims to proceed. One asserts that Google fraudulently created - in violation of California law - a privacy policy designed to obscure the company's plan to distribute users' personal information to third parties. The other alleges a breach of contract for Google depleting Android users' resources by sending data to third parties, whenever they purchased or downloaded an app.

A Google spokesman didn't respond to a request for comment on the judge's decision.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.

Around the Network