Google’s Privacy Push: Smoke or Substance?
By Erik Schmidt on 10.11.07
Imagine a company that relentlessly scoops up data and turns it into useful information. It then makes the useful information available to consumers around the globe. How does it make money? It charges advertisers, then delivers targeted ads to consumers on the basis of what sort of information these consumers are trying to find.
Further posit that this company was started with a philosophy that technology could change the world for the better. “You can make money without doing evil” is an explicit part of this philosophy. Now ask yourself: Is retaining months or even years worth of data about user behavior “evil” or is it merely a necessary aspect of providing all of that wonderfully useful information to consumers?
Of course, Google is the company in question. Earlier this year Google announced that it would hold personally-identifiable user data for a period of 18-24 months. Peter Fleischer, the company’s Global Privacy Counsel, cited the nascent EU Data Retention Directive and potential US data retention laws as limiting Google’s ability to drop the retention period any further.
Now Fleischer is promoting an information privacy policy framework that was created in 2004 under the auspices of Asia-Pacific Economic Cooperation. The APEC Privacy Framework (PDF) is advisory in nature, which is in keeping with the overall approach of APEC. From the APEC website:
Unlike the WTO or other multilateral trade bodies, APEC has no treaty obligations required of its participants. Decisions made within APEC are reached by consensus and commitments are undertaken on a voluntary basis.
In broad strokes, the APEC Privacy Framework calls for consumer access to personal data from organizations that gather such data about them. However, the Framework does not advocating rigid requirements for businesses that collect personal data. The words “practical” and “practicable” turn up 14 times in the 23-page document.
It may be that Google figures the APEC Privacy Framework is in fact the most realistic approach to promulgating some sort of basic global understanding about information privacy standards. The European Union’s data retention policies are more specific than the APEC Privacy Framework, and arguably the EU is not necessarily a representative subset of the global economy. In contrast, APEC is much broader in the range of its member nations’ privacy traditions. According to its website, the following nations are APEC members:
Australia; Brunei Darussalam; Canada; Chile; People’s Republic of China; Hong Kong, China; Indonesia; Japan; Republic of Korea; Malaysia; Mexico; New Zealand; Papua New Guinea; Peru; The Republic of the Philippines; The Russian Federation; Singapore; Chinese Taipei; Thailand; United States of America; and Viet Nam.
China, Japan, Russia, and the United States stand out from this list. Perhaps ultimately Google is putting its weight behind the APEC Privacy Framework because it is nonbinding, essentially business-friendly, and stands the most chance of actually being adopted at a global level.
10.11.07 • Internet Policy/Net Law
2 responses to Google’s Privacy Push: Smoke or Substance?
10.25.07 • Joseph J. Wang
Google’s statement that APEC is more likely than the EU to come up with a globally acceptable privacy standard is groundless.
Cultural diversity is not necessarily related to diversity in expectations of user privacy. The fact that, in local communities, one culture shares personal information more freely than another does not mean both cultures won’t react similarly to risks imposed by the same search engines.
Sure, intuition says a decision by a more diverse group likely involved consideration of more points of view. But this intuition does not apply to origination of ideas. Nothing constrains a less diverse group from coming up with a winning proposal. A single human mind could possess the creativity and insight to do it.
Generally, I don’t mind corporations touting their commercial motives as coincident with public interest. But here, Google draws upon stereotypes of Asian, European, and North American nations, and asserts that a combination of Asian and North American nations is more likely to propose a globally acceptable privacy standard. There is no support for this.
The EU has a privacy standard specific enough to matter to users. The APEC framework only has a vague set of principles. Even if every nation embraced the APEC framework today, Google would face a myriad of differing interpretations enacted into laws in the various nations. This would defeat Google’s call for consistency and certainty.
The EU standard can be debated and perhaps modified, provision by provision, until something globally acceptable emerges. In my view, this makes the EU Directives far more viable than the APEC principles.
11.29.07 • Alvin
This is a side note on the US regulations on date privacy, namely Consumer Privacy Protection Act of 2005 (H.R.1263) (“CPPAâ€).
The Consumer Privacy Protection Act was introduced on March 10, 2005 by Rep. Clifford Stearns (R-FL). The Bill was an attempt “to start the process of developing a consistent, federal approach to privacy.” The hope is that the Bill will “offer better uniformity and more efficient regulation as information technology, the use of consumer information, and domestic and international commerce continue to become more integrated, and in some cases, converge.”
The CPPA sets forth a consumer data privacy protection policy. It protects the individual privacy under the Congress’s power to regulate interstate commerce. It requires data collection agencies to provide generally privacy notice to consumers when there is potential misuse. It allows the consumers to limit (but not eliminate) the use of the private information collected. And it provides disclosure statement requirements (in contrast to use). It also outlines the data collector’s information security obligations, as well as setting forth the standard of self regulatory programs.
The CPPA has some deviations from OECD Guidelines in that it has narrower scope in defining what constitutes “personal data.” If the UK DPA is any guidance, the CPPA will not be regarded as fully compliant. The CPPA excludes State governments even when combined with other Federal laws. The CPPA excludes small business entities, when there is no actual harm. It itself, the CPPA does not satisfy the general OECD guidelines. However, because there are other privacy laws (notably the Privacy Act of 1974), the differences are partially mitigated if CPPA is to work in concert with the Privacy Act. And based on the Australian example, the exemptions on small businesses may not be fatal. Therefore, although CPPA is not adequate standing alone, it may support the conclusion that the US data privacy law offers adequate data privacy protection such that the data exchange between EU Member countries and the US is permissible. However, the CPPA will probably not be the perfect consumer protection legislation, at least not until the small business exemption is addressed.