Supreme Court And European Union Expose Google’s Massive Privacy Liabilities
Google has privacy clay feet.
The NSA and Big Data may also, since they are relying on many of the same outdated legal assumptions as Google.
In the last few months, both the U.S. Supreme Court and European authorities have made new baseline privacy decisions that have greatly strengthened individuals’ right to privacy. As a result, they’ve also exposed and heightened Google’s massive privacy liabilities.
Contrary to tech-driven conventional wisdom, privacy is not dead. It’s being resurrected by SCOTUS in the U.S. and by various European authorities in the EU.
This post-Snowden change is real and profound. The next twenty years will be different than the last when it comes to privacy.
Some may have heard of some of these individual privacy decisions, but most have missed the new big trend — that people actually do have a legal right to privacy.
Google is the focus of this privacy discussion because of its pervasive, invasive collection of private data, and its uniquely defiant legal and operational assumption that people have “no expectation of privacy” when Google acquires their private data.
Let’s start in the U.S.
Last month SCOTUS refused to hear Google’s appeal in “Google v. Joffe,” which declared Google Street View’s mass-collection of millions of homes’ unencrypted WiFi signals as illegal interceptions, or wiretaps, of private communications — not legal collection of public communications, as Google tried to argue.
This is a big decision — the court effectively rejected Google’s longstanding data-collection presumption that if communications are not encrypted and Google can technically, easily, or cheaply intercept them, then Google can deem them public instead of private.
Google’s routine records interception of communications from Google and non-Google users involving Gmail, Glass, YouTube, Android, etc. represents the company’s broad legal presumption of “implied consent.”
The seriousness here for Google is two-fold. The first discovery was in the Gmail class action case “Fread v. Google,” which exposed Google’s secret install of a “Content One Box” to intercept, read and analyze all emails prior to reception from 2010 to 2013, according to Bloomberg.
In the case Federal District Court Judge Lucy Koh ruled Google was not exempt from wiretap law, and that creating personal advertising profiles by reading people’s email is not an “ordinary course of business.” Koh went to say that “accepting Google’s theory of implied consent… would eviscerate the [wiretap] rule against interception.”
That means Google secretly, and without reasonable consent from users, intercepted three years of email communications from more than one hundred million Americans and just as many Europeans for commercial purposes.
It is very likely the largest illegal commercial wiretap in history.
In the court’s “Riley v. California” decision last month, the court ruled unanimously that a person has a right to privacy over the content of their smartphone, and that police must get a warrant to search it.
According to the court, “modern cell phones are not just another technological convenience. With all they contain and all that they reveal, they hold for many Americans the privacies of life.”
The decision marks a revolutionary and transformative privacy precedent.
Google and the NSA have justified their omni-interception and collection of people’s data on the pre-digital 1979 SCOTUS precedent “Smith v. Maryland.”
At the time the court ruled that checking a third party’s phone logs was not a search, and thus people had “no expectation of privacy” if a third party gained possession of someone’s private information.
Anyone who reads the unanimous “Riley v. California” decision can’t help but realize that the court, for the first time since 1979, has effectively updated and changed its fundamental legal take on the constitutional right to privacy, and what a digital search constitutes today.
Apparently technology may change, but one’s constitutional right to privacy under the Fourth Amendment does not.
Google and Big Data undoubtedly have taken note concern, because if the circumstances require the government to get a warrant, third parties will be expected to get reasonable consent from users to obtain their private data for commercial purposes.
According to the court “more substantial privacy interests are at stake when digital is involved,” and “cell phones differ in both quantitative and qualitative sense from other objects.”
The court was unanimous in recognizing four big privacy changes: the breadth of “many distinct types” of private information that reveal much more in combination,” the vast “capacity” of data involved, that information can “date back for years,” and that “the data viewed… may be stored on a remote server.”
Now consider that Google combines orders of magnitude more information about more people than any cellphone, stores an unimaginable amount of data about people, stores it largely indefinitely and does it all on remote servers.
If the court applies this new Internet-age logic and digital data reality to future privacy cases involving Google, the NSA or Big Data, they’re logically going to come to a different conclusion than SCOTUS did in 1979.
Big change is afoot for privacy in the U.S., and even bigger in Europe.
In March the European Parliament overwhelmingly voted 621-10 for stronger data protection laws in its first update to European privacy law since the advent of the Internet in 1995.
That same month, the European Parliament overwhelmingly backed a resolution calling for the suspension of the US-EU data protection Safe Harbor that lets U.S. firms self-certify as being in compliance with EU privacy law in a 644-78 vote.
The EU is asserting sovereignty over the European Internet, so European data will be subject to EU law and stored in the EU. The law also grants EU citizens the right to demand erasure of their online data for the first time.
In May a high-profile court decision by The Court of Justice of the European Union quickly enforced Europeans’ “right to be forgotten” by requiring search engines like Google to remove links to irrelevant or outdated information on regular citizens based on their right to privacy.
“The ruling confirms the need to bring today’s data protection rules from the ‘digital stone age’ into today’s modern computing world,” EC Justice Commissioner Viviane Reding said.
The ruling eviscerates Google’s claim that it has an absolute right to free speech in organizing search results, and that no outsider can legitimately request a change in the Google search algorithm. The legitimization of the right to be forgotten will lead to more exemptions for privacy, copyright, etc.
The development that may signal the biggest privacy liability for Google may be a recent decision by the Italian data protection authority, which could be the first of such national decisions to come from France, Spain, Germany, The Netherlands and the U.K. — countries that previously have banded together to enforce privacy law against Google.
“Google would not be allowed to use the data to profile users without their prior consent and would have to tell them explicitly that the profiling was being done for commercial purposes,” the Italian ruling said, according to Reuters. “It also demanded that requests from users with a Google account to delete their personal data be met in up to two months.”
To the extent that European privacy authorities enforce European data protection law, Google will have to revolutionize the way it treats Europeans’ privacy and data.
Europe is essentially calling Google’s bluff.
Now the company that has long boasted of its innovation and superiority in targeted advertising and personalized services on a global basis will be expected by European privacy authorities to, in turn, personalize European users’ real control over what information Google collects on them and how it monetizes it.
The more the privacy authorities learn, the more they will realize that Google has broken users’ private data eggs and scrambled them for their own convenience and profit maximization.
Undoing this mess of Google’s own making is going to be very costly for Google. It will take many years and constant regulatory vigilance by the EC and EU member nations to accomplish.
Other Big Data companies have privacy liabilities, but none on the scale, scope and seriousness facing Google going forward.
Justice Roberts poignantly wrote that “privacy has a cost” in the recent “Riley v. California” decision.
“Privacy has a cost” because privacy is valuable.
It appears the tech assault on privacy rights of the last twenty years may have bottomed out, and the legal obligation of respecting individual’s right to privacy is beginning a long climb back.
Google is on a collision course with SCOTUS and the EU — Google will either be forced to respect people’s privacy, or the two will surrender their sovereignty to Google’s exceptional market power over private information.
Scott Cleland is President of Precursor LLC, a consultancy serving Fortune 500 clients, some of which are Google competitors. He is also author of “Search & Destroy: Why You Can’t Trust Google Inc. Cleland has testified before both the Senate and House antitrust subcommittees on Google and also before the relevant House oversight subcommittee on Google’s privacy problems.