There have been two major developments in recent weeks that could have long term consequences for the privacy of Europeans. One seems positive; the other is concerning.

On the positive side, Vice-President of the Commission Viviane Reding proposed a major overhaul of the EU’s data protection framework – already regarded by many as the toughest data protection regime in the world. A major purpose of the sweeping new regulation is to modernise the EU rules to meet the challenges posed by new and evolving technologies, including in particular the internet. While some in industry will undoubtedly disagree with aspects of the proposed regulation – and I suspect we may be in for a lengthy legislative process – few would disagree that an update is needed.

At about the same time that Mme Reding announced the proposed changes, the world’s leading internet company – Google – announced sweeping changes to its own privacy practices. The new practices, in effect since 1 March, enable Google to combine nearly all the personal data it collects across more than 60 services and use the information to sell advertising, with no opportunity to opt out.
And, worryingly, the European arsenal has not been able to actually stop this from happening, even though the new policy raises serious issues under the EU’s existing data protection rules.
Just last week, for example, a senior official of the UK DPA criticised the policy for being too vague. “The requirement under the UK Data Protection Act is for a company to tell people what it actually intends to do with their data, not just what it might do at some unspecified point in the future,” said David Smith, deputy Information commissioner. This echoes concerns raised by France’s CNIL, which is leading an investigation into the new policy on behalf of the Article 29 Working Party. According to the CNIL, its preliminary analysis indicates that the “new policy does not meet the requirements of the European Directive on Data Protection”. The CNIL also raised particular concerns with the combination of personal data across services under the new policy and expressed “strong doubts about the lawfulness and fairness of such processing”.
In a welcome move, the Article 29 Working Party asked Google to pause implementation of its new policies, pending the outcome of the investigation. Google, however, has refused.
The EU has what many regard as the ‘gold standard’ in data protection law, and Europe’s rules certainly look strong on paper. But if a company that controls 95% of the European search and search advertising markets feels it can act with impunity, those protections are worth little to European users.

Google has thrown down the gauntlet to European regulators by refusing to accede to the Article 29 Working Party’s request for a delay in implementing its new privacy practices. The credibility of the EU’s data protection system is at stake. In the European Parliament, the S&D group seems to have recognised this. In a statement, the group called on the European Commission to “take immediate action to tackle any potential violation of EU citizens’ privacy and rights”.
Europe must now rise to the challenge and make it clear to Google and to any other alike that EU data protection law is to be taken seriously. Good laws are important, but they are worth little to users without effective enforcement.


Case Law