The 27 EU DPAs, associated in the so-called Article 29 Working Party, found that Google’s policy fails to comply with existing European privacy law, specifically the 1995 Data Protection Directive and the 2002 ePrivacy Directive, and asked Google to make broad changes to its policy. In particular, they found that Google does not respect EU law requiring that personal data be collected and processed only for limited purposes, that users be clearly informed of these purposes, and that they be given the right to opt-out. In the press conference that followed the presentation of the report, CNIL President Isabelle Falque-Pierrotin and Article 29 Group Chairman Jacob Kohnstamm gave Google a deadline of four months to make the required changes, failing which the DPAs will take legal action.
Initial coverage of the Article 29 Group’s ruling has focused on Google’s free consumer services. But the ruling’s most far-reaching implications concern Google Apps, a suite of email and office collaboration apps aimed at organizations. If fully applied, the ruling could effectively shut down deployments of Google Apps by European governments, schools and enterprises, at least until Google makes the changes the EU regulators are seeking. The reason stems from a brief paragraph buried in the middle of the report:
“For Google Apps end-users, the use of a Google Account is decided by the Google Apps customer (typically the company that employs the end-users): consent may therefore not be valid. Google should apply limitations to the combination of data across services and this combination should be restricted to the services included in the Google Apps offer.”
Under European law there are certain things an online service cannot do unless the user has expressly consented. For example, it may not data mine the user’s content for purposes of targeted ad delivery. Thus, when a customer organization imposes on its members (employees or perhaps students) the use of a cloud email service that relies on such data mining, the organization may not consent on the members’ behalf to the gathering and processing of their personal information. Only individuals can consent to such use of their data, if properly informed of the purposes for which the data is gathered and processed, and if allowed to opt-out.
While Article 29 Group ruling has implications for all organizations using cloud services (including giant corporations such as Spain’s BBVA bank, which recently signed up for Google Apps), it may have the most impact on governments and schools, which are particularly sensitive to privacy issues and regulatory requirements. In the U.S. the public sector has been the most enthusiastic early adopter of cloud email and document collaboration services. European governments and schools are at an earlier stage of cloud adoption than their U.S. counterparts, and they are likely to be all the more wary of adopting Google Apps until Google reaches a settlement with the Article 29 Group.
Is the Article 29 Group ruling now in danger of becoming a serious roadblock to adoption of cloud services by Europe’s governments, schools and enterprises? Not necessarily. If Google and the other big cloud providers are willing to make the changes to their privacy practices that the EU DPAs have politely but firmly requested – and there is no reason to think that these changes will break the business models or capacity for innovation of these providers – then the result could well be an acceleration of cloud uptake by both public and private sector organizations in Europe. Let us hope that Google and the European DPAs will rapidly reach a settlement satisfactory to all sides, and thus prove that careful government regulation and dynamic new market innovations such as cloud computing are not incompatible.