Privacy Law Blog : Privacy Lawyers & Attorneys : Proskauer Rose Law Firm : CAN-SPAM, FCRA, FACTA

Unlike prior settlements in response to data security breaches where the FTC required the implementation of a comprehensive information security program as a remedial measure, the Buzz settlement requires Google to enact a comprehensive privacy program, consistent with the Commission’s “privacy by design” approach that we have previously blogged about.  Specifically, the FTC’s proposed settlement requires Google to establish and maintain “a comprehensive privacy program” to “address privacy risks related to the development and management of new and existing products and services for consumers” and “protect the privacy and confidentiality of covered information.” 

The settlement also requires Google to “clearly and prominently disclose” if a user’s information will be disclosed to third parties, the identity or specific categories of such third parties, and the purposes for sharing; and to obtain affirmative consent from the user regarding the sharing.  In addition, the settlement requires Google to provide a report on the effectiveness of the company’s privacy program biennially to the FTC for the next twenty years.

The FTC’s Complaint that underlies the settlement alleges that Google launched the Buzz social networking service in February 2009 within its Gmail product.  Upon logging into their Gmail accounts, users were presented with the option to “Check out Buzz” or proceed to their Gmail inbox.  The FTC alleged that even if a user opted to go to his or her inbox, that user’s information was still shared with others in the Buzz network.  The FTC claimed that Google therefore did not use the information that users provided to Google only for the purpose of providing them the company’s web-based email service (Gmail) – rather, Google also used this information in connection with the Buzz social networking service.  Moreover, Google did not request users’ consent before using the information collected from Gmail users in connection with Buzz. 

The FTC further alleged that if a user clicked a link to “Turn off Buzz” certain information about that user was still shared with others.  Moreover, the FTC alleged that Buzz did not adequately communicate that certain previously-private information would be shared by default and certain personal information was shared without users’ permission.  The FTC also claimed that the “Turn off Buzz” and options to go to the user’s inbox without signing into Buzz were false or misleading because they represented that a user either would not be enrolled in, or would be removed from, Buzz, when in fact a user was enrolled and not removed from the service consistent with these representations.

The FTC also alleged that Google failed to disclose how a user’s information would be shared.  These allegations also amounted to a substantive violation of the US-EU Safe Harbor Framework, according to the FTC—particularly, the Notice and Choice and limited purpose principles.

These practices also violated Google’s own privacy policy in effect at the time Google Buzz was launched, according to the FTC.  In pertinent part, the policy stated that “Gmail stores, processes and maintains your messages, contact lists and other data related to your account in order to provide the service to you” and “[w]hen you sign up for a particular service that requires registration, we ask you to provide personal information. If we use this information in a manner different than the purpose for which it was collected, then we will ask for your consent prior to such use.” (Emphasis added.)

In settling the FTC’s charges, Google did not admit the truth of any of the FTC’s substantive allegations.

This settlement demonstrates the importance of having a comprehensive privacy program in place that ensures that privacy protections are incorporated into web applications from the ground up.  The settlement’s requirement that Google enact a comprehensive privacy program demonstrates that the FTC is serious about privacy and foreshadows potential future settlement terms.  The settlement also reaffirms the importance of compliance with the US-EU Safe Harbor framework for companies that have opted into this program.

EPIC asked the FTC to open an investigation into Google’s cloud computing services and to bar Google from offering such services until it establishes adequate safeguards.  EPIC also requested that the FTC compel Google to contribute $5 million “to a public fund tat will help support research concerning privacy enhancing technologies, including encryption, effective data anonymization, and mobile location privacy.” 

Cloud computing refers to a system that provides off-site software application and data storage services to consumers and businesses through the Internet.  Google’s cloud computing services include Gmail, Picasa Web Albums, Google Calendar, Google Desktop and Google Docs. 

EPIC’s complaint followed on the heels of a reported data breach involving Google Docs.  On March 7, 2009, user documents and files saved through the Google Docs service were exposed to unauthorized users.  EPIC also highlighted other purported flaws in Google’s cloud computing services, including a January 2005 incident that allegedly compromised Gmail usernames and passwords, and two separate vulnerabilities with Google Desktop that permitted access to users’ sensitive data. 

In its complaint, EPIC stated that “Google’s inadequate security practices, and the resultant Google Docs Data Breach, caused substantial injury to consumer, without any countervailing benefits.”  Moreover, EPIC charged that Google made material misrepresentations “that misled consumer regarding its security practices, and users reasonably relied on Google’s promises.”  For instance, EPIC argued that Google assured Google Docs users that “files are stored securely online” and that all documents are saved “to a secure online storage facility.”  According to EPIC, in light of the Google Docs breach, the assurances Google made to consumers were deceptive, and thus, the FTC should step in to protect consumers. 

For more information on the privacy issues surrounding cloud computing services, please see our prior blog post here.

According to the International Association of Privacy Professionals, which broke the story on February 2, 2009, the charges against Fleischer are believed to be the first criminal sanctions pursued against a privacy professional for his company’s actions. Under European Union legislation that was incorporated into Italian law in 2003, Internet service providers (“ISPs”) are not responsible for monitoring third-party content posted to their sites, but are required to remove offensive content if a complaint is received. These laws offer to ISPs protections that are similar to those found under U.S. law in Section 230 of the Communications Decency Act of 1996. (See our Section 230 posts here.) But Italian authorities, specifically Milan public prosecutor Francesco Cajani, are prosecuting Google as an Internet content provider, rather than as an ISP, and Italy’s penal code states that such providers are responsible for third-party content on their sites. Cajani believes that Google, and its executives, violated this provision by allowing the 191-second clip to be uploaded to its video site.

On February 3, the Italian judge hearing the case -- which is expected to be ongoing for months -- suspended the proceedings until February 18 to consider procedural issues, but Google maintains that it did not violate any laws with respect to the video posting.  Also on February 3, the City of Milan joined the case with civil charges that Italian lawyers have cited as the rough-equivalent of class-action suit in the United States.  The city, according to Rocco Panetta, an Italian lawyer with Portolano Colella Cavallo, is representing several individuals it claims were injured by Google.

In a statement released on February 2, Google expressed sympathy for the victim’s family, but insisted that “We feel that bringing this case to court is totally wrong.  It’s akin to prosecuting mail service employees for hate speech letters sent in the post. What’s more, seeking to hold neutral platforms liable for content posted on them is a direct attack on a free, open Internet.  We will continue to vigorously defend our employees in this prosecution.” Google’s public policy counsel for Google Italia, Marco Pancini, further commented that “We are confident the process will end in our favor.”

In Google’s motion to dismiss, Google argues the invasion of privacy claim is lacking because the Street View service images must be considered in the context of what others can already view from the street. That is, any delivery person, service provider, or guest who turns around in the Borings’ driveway sees the same view as from the Street View point of view. Only if there had been a barrier or closed gate would a reasonable expectation of privacy possibly arise. In introducing this argument, Google quotes commentary from the Restatement (Second) of Torts (relating to invasion of privacy torts) that

                [c]omplete privacy does not exist in this world except in a desert, and anyone who is not a hermit must expect and endure the ordinary incidents of the community life of which he [or she] is a part.

As to the trespass issue, Google points to the privilege of consent that may be implied from custom. One such custom is driving up to a driveway or approaching the front door of a private home “absent a locked gate or other express notice not to enter.”  

Interestingly, the Borings filed a lawsuit rather than using the Street View service’s removal option; similar photos of the Borings’ house were already publically available online; and, the Borings have garnered more attention by proceeding with a lawsuit rather than removing the images. 

Proskauer Rose summer associate David Neinstein contributed to this report.