Puny Punishment for Goliath: Google Case Exposes Weak US Data Privacy Laws
Google has been forced to pay $22 million in fines this week, a record for data privacy violations but small change for the giant corporation. Internet companies benefit from America's lax privacy and data protection laws, which are unlikely to change any time soon. It's a stark contrast to Europe, where the EU wants to toughen its laws -- and apply them to American companies.
Lots of data, little protection: Most have little hope that the United States will create strict Internet privacy laws.
At first, it sounds like a success for privacy protection advocates in the United States: Google has reached a deal with the Federal Trade Commission (FTC) and has agreed to pay $22.5 million (18.3 million) in penalties after the agency found that the Internet search giant had made erroneous statements in its online privacy statement. A help page on Google included false information about the use of tracking cookies in Apple's Safari browser. Even if users of the browser explicitly requested that no cookies be set for observation of their surfing behaviour, Google still did it. The FTC claims that Google didn't correctly inform its users of this.
Still, the fine is higher than any other the agency has ever imposed -- and far higher than any fine that has ever been imposed in Germany for data protection violations. By comparison, when it emerged in Germany in 2008 that discount supermarket chain Lidl had been systematically spying on its employees with the use of private detectives, the company was forced to pay a fine of only 1.5 million.
And the only reason Google is being forced to cough up is that this is the second time it has fallen under the FTC's radar for data privacy violations. The first instance had been in connection with the company's failed social media service Google Buzz. Generally, the agency is unable to impose penalties with a first violation, although there are some exceptions to this rule, for example if a company has violated the Children's Online Privacy Protection Act (Coppa).
'Beyond the Nerd Level'
Despite the high sums involved in the fine, the case still underscores weaknesses in US data protection regulations. If you speak to Web activists or advocates of privacy protection in the US Congress these days, you can often sense a tone of resignation, despite the FTC's case against Google. Few believe that it will be possible in the United States to push through tougher privacy protection laws within the foreseeable future in order to regulate companies like Google or Facebook more strictly. In recent years, Internet privacy advocacy "has gone beyond the nerd level," said Rebecca MacKinnon, a journalist and civil rights activist with the organization Global Voices Online.
In addition to Google and Facebook, companies like Amazon and Apple are also based in the United States -- firms that deal with the data of millions of people from around the world each day. Given the resignation of many on the issue in the United States, some American data and privacy protection advocates are placing their hopes on the possibility of tougher regulations coming from Europe. "If they raise the tide over there," said one lawyer working on the issue on behalf of the US Senate who preferred not to be identified, "then they could lift all boats."
Of course, data protection policies in the US aren't as toothless as they might at first appear to be. "Once we have a company under order, an order violation can result in substantial civil penalties," said David Vladeck, the FTC's top privacy protection official.
Once a company is under order, as with Google, it means the FTC can then require it to take certain steps. Google and Facebook, for example, were asked to "devise a detailed privacy plan and hire an outside auditing firm to come in every other year and prepare a detailed report regarding the company's compliance," said Vladeck. "If there's non-compliance, that can give rise to a civil penalty." Google and Facebook are required to adhere to this obligation for a 20-year period. Violations, as the Google case demonstrated this week, can result in punitive measures.
Voluntary Commitments in Lieu of Privacy Laws
Still the data and privacy protection policies that companies in the US adhere to are largely voluntary, based on industry initiatives that were undertaken to prevent strict laws from being passed. It is only when a company makes false claims that the FTC is able to intervene. That's also the thinking behind President Barack Obama's latest effort to improve privacy rights. His administration came up with a "Consumer Privacy Bill of Rights," a seven-point list of consumer rights that should be respected by companies who hold private data. On the basis of the Bill of Rights, the US Commerce Department will now work together with willing companies to develop "enforceable codes of conduct," Obama's adviser on Internet issues, Danny Weitzner, recently said at a Washington event.
Once voluntary commitments are made in the Internet industry, they could then be monitored by the FTC and future violations punished. Weitzner calls this approach a "multi-stakeholder process," because many different parties would be working together to create flexible regulations. At the meeting, however, Gigi Sohn of civil rights organization Public Knowledge countered Weitzner, saying, "Multi-shareholder is a codeword for deregulation for some."
Weitzner stressed that the government had no such intention. "We need to do more than just say, 'the market will sort it out'," he said. But Urs Gasser, a Swiss national who currently heads the Berkman Center for Internet and Society, a think tank at Harvard, noted that "the US is still relying heavily on self-regulation."
'A Very Weak Hand'
It's an approach whose possibilities can be exhausted very quickly -- at the very latest at the point when the company has achieved such a dominant position in the market that it becomes tantamount to public infrastructure. Despite the importance of the services in many people's daily lives, those who use Facebook and Google have no alternative but to agree to the companies' Terms of Service.
"We, too, are troubled by 'take it or leave it' offers," said the FTC's Vladeck. But, he added, the "legal tools" the US has at its disposal to challenge take-it-or-leave-it offers are "not substantial." He also added that Germany and the European Union do not have those tools, either. A US Congress employee, who asked not to be cited by name, added that the "FTC are taking the hand they've been dealt, and that is a very weak hand."
In Europe, however, politicians are pushing for a firmer pace for tackling the problem. Viviane Reding, the European commissioner for justice, fundamental rights and citizenship, has already drafted a proposal for stricter data and privacy protection that, if approved, would be applied to the entire European common market. The difference is clear, too: The EU wants to regulate from above, whereas the US wants to handle privacy through voluntary corporate measures and by applying the letter of the law through precedent-setting cases and common law.
The most important thing, said Vladeck, is that "if one looks at the broader, aspirational goals, we are really not very far apart." But while that may be true of goals, there is still broad resistance in the US to some concrete aspects of Reding's plan. Vladeck, for example, finds problematic the notion that European regulations might imply universal juristiction. Nor does he support Reding's demand for a "right to be forgotten," meaning European regulations might require a service to completely eliminate a user's data if that person decides to cancel their account on a site like Facebook. "You need to be able to tell a company how they are able to operationalize that," Vladeck said, adding that it is entirely unclear how companies could do that at this point.
Vladeck also said he believed it was justifiable that US firms are now lobbying to a massive degree in Brussels to ensure that the regulations that emerge will be to their liking. "I don't think it's inappropriate that US companies are involved in this debate -- they are the objects of this regulation," he said.
'We Don't Control Them'
"A really major data breach would probably be necessary" in order for the legislature to make any serious moves, the slightly resigned Congressional lawyer said. One also shouldn't forget that the Internet industry is one of the few sectors in which the US is still registering growth, he said.
One of the lawyer's colleagues, a member of the staff of a Democratic senator, added cynically: "The US government doesn't do anything unless there's money to be made."
© SPIEGEL ONLINE 2012
All Rights Reserved
Reproduction only allowed with the permission of SPIEGELnet GmbH