Stop fighting each other!

Ahead of a discussion about Google and privacy hosted by Big Brother Watch in central London this evening (20 June), one of the speakers, Paolo Balboni, an Italian lawyer specialising in ICT and data protection, looks at the issues raised by Google Street View in Europe.

Six hundred gigabytes of data were collected by Google cars in 22 countries around the world for the Street View service. Since then, nine EU member states (Austria, Belgium, Czech Republic, Denmark, France, Germany, Ireland, Italy, Spain, Switzerland) have acted, mainly through their data protection agencies (DPAs), to stop Google cars’ unlawful collection of personal data. Some of them asked Google to freeze said data during the investigations, others ordered the immediate destruction of the data collected.

Both the Italian and the French DPAs explained in respective speeches that Google cars collected not only information on wifi connections but also the content of communications. Moreover, French DPA president Alex Türk explained that he was willing to set an example with Google in order to make companies understand that as soon as they are dealing with private data, they are liable, and that it is not sufficient to delete data afterwards.

Having consulted a respected computer engineer, we at the European Privacy Association believe the Google Street View vehicles will have amassed the geo-coordinates of the data’s transmission, the date and time of the interception, the to/from IP addresses, the to/from MAC addresses, information on what types of devices those are, the network ID, how many devices are on that network at that particular time, how far that network extends in terms of distance, whether it is encrypted, and, if it is, what type of encryption they’re using, what protocols are in use between the two devices (if unencrypted) and the actual content of messages (if unencrypted).

So what does this have to do with Street View? In order to provide a service that should primarily consist of displaying streets and places to users, Google does not need to collect data concerning how, why, where and when people surf in those locations. Legally, this means the data collected is not proportionate to the task in hand (one of the main principles set forth in the EU Directive 95/46/EC).

Moreover, in order to collect such data lawfully Google, as a general principle, should have informed the data subjects and obtained their prior consent. Given that this did not happen, the data processing carried out by Google has been unlawful, as a number of European DPAs have already stated in their preliminary conclusions to their Street View investgations.

Google has asserted that the data collection was an accident and has promptly started to cooperate with the authorities. However, it is a very serious accident when a company sends cars out to collect pictures of streets and places and they return with the contents of communications which are not only protected by data protection law (and its fundamental principle that individuals should be able to control their use of personal information) but also by the right to privacy and confidentiality of correspondence – a constitutional right in most of the EU Member States. This challenges what Google Director of communication and public affairs for North and Central Europe Peter Barron wrote in his debate contribution: ‘We believe in the principles of transparency and choice and aim to design products that give users meaningful choices about how they use our services and what information they share with us.’

I agree with Director of the Enterprise Privacy Group Toby Stevens when he writes that it is the uncertainty of not having heard all the truth around Street View that worries him the most, that is, ‘the possibility that one of the world’s largest companies is allegedly aggregating personal information and not being transparent about its motives’.

Moreover, Peter Barron wrote that ‘[w]ithin Google we have experienced lawyers whose sole focus is to address these issues’. I say that Google needs to listen to a few lawyers! A first-year law student would have spotted the problems Google are now encountering. I agree with Simon Davies (Director of Privacy International) when he writes that he ‘want[s] to see every Google product risk-assessed’ and ‘subject to a privacy checklist’. My experience as a business lawyer tells me that this is actually what does happen at most of the mature, large ICT companies.

‘Privacy cannot be sidelined in the rush to introduce new technologies to online audiences around the world’ stated 10 Data Protection Commissioners in their open letter to Google CEO Eric Schmidt in April this year. Commenting this time on Google Buzz they stressed that they ‘remain extremely concerned about how a product with such significant privacy issues was launched in first place’.

Now I fully understand that an opt-in system, where Google has to gain the consent of those affected by the pictures, would have made Street View unworkable. However, the implementation of new business ideas is often stopped (or slowed down) by legal issues. This is because regulations are issued precisely to prevent a wild and uncontrolled development of businesses and services – even when they may be useful – that may breach fundamental rights and freedoms. Given what has recently been discovered about Street View, I think it is normal and sound at this point to stop for a moment (or slow down) the implementation of Street View. As Conservative MP Robert Halfon rightly said, ‘there’s a great difference between advancement of the internet and violating people’s right to privacy”.

One problem must be acknowledged. Laws and regulations on the issue of privacy and data protection are far from being globally uniform. Objectively, it is very challenging (if not impossible) for an innovative ICT company to comply with all the applicable laws in the world and to keep their business up and running at a fast pace. As far as data protection is concerned, more and more services are encountering numerous compliance issues related to the absence of global data protection rules/standards. For example, one should consider cloud computing services, a market that is significantly expanding, in which a number of big players are involved (eg, Amazon, Google, Microsoft, SaleForce, IBM, etc).

In my view, big companies should stop fighting each other on the issue of privacy. It would be more beneficial both for them and for users if such companies start to work out best practices together with DPAs and Privacy Commissioners around the world, with the aim of setting out workable international privacy standards. For example they could start to work on a practical explanatory memorandum for the International Standards on the Protection of Personal Data and Privacy (The Madrid Resolution). Google, in its position as a world champion ICT business, could actively promote these activities, thereby setting the example.

Once agreed upon, international privacy standards could be embedded directly into companies’ products and services following the very valuable concept of Privacy by Design. In fact, the Article 29 Working Party has recently proposed to include this, together with ‘accountability’, as principles in the EU legal framework of data protection.

In the meantime I think we all hope that Google, as well as all organisations entrusted with people’s personal information, will follow the recommendation issued by the 10 Data Protection Commissioners in their letter to Schmidt, where they urged Google ‘to incorporate fundamental privacy principles directly into the design of new online services. That means, at a minimum: collecting and processing only the minimum amount of personal information necessary to achieve the identified purpose of the product or service; providing clear and unambiguous information about how personal information will be used to allow users to provide informed consent; creating privacy-protective default settings; ensuring that privacy control settings are prominent and easy to use; ensuring that all personal data is adequately protected; and giving people simple procedures for deleting their accounts and honouring their requests in a timely way.’

Paolo Balboni is attorney-at-law in Milan specialising in ICT Law and Personal Data Protection. He is also a member of the European Privacy Association and the Italian Institute for Privacy,. See his website here. Paolo will be speaking at an event discussing Google, Street View and privacy at Big Brother Watch’s offices in Westminster at 6pm on 20 July. See here for details.