Going Global, Going Local: Doing Business outside the U.S. Has Impact at Home
What Google didn't tell its users was that the new policy would share the user's information across all Google services, which then allowed Google to compile users' data to create detailed and secret profiles of Google users. Google would then make information about its users available to advertisers on any other Google service for the purpose of targeting ads to particular users.
But in the European Union (EU), regulators not only took note of the new policy, but the EU's 29 data privacy regulators also launched an investigation and criticized Google's new policy because it results in the unrestricted and unregulated use of personal data of users without the users' clear consent. The initial inquiry was led by the French data protection commissioner (CNIL), who provided several recommendations to Google to make changes to the new policy. The CNIL heavily criticized Google and said Google "provides insufficient information to its users on its personal data processing operations," fails to inform users on how long the individual's personal information will be stored, and provided for "uncontrolled" combination of data across Google's services.
At that time in 2012, the CNIL only gave recommendations and did not make any demands on Google. However, this April, data protection agencies in six EU countries announced that they were filing enforcement actions against Google after Google ignored the CNIL's recommendations. These enforcement actions are continuing to have an impact in the U.S.
The EU has a much higher standard for protecting consumer data privacy than we have here. These stricter EU policies influence U.S. data privacy regulation and practice through the EU's regulation of companies that are transferring data from the EU to the U.S. The EU prohibits entities that collect information on individuals from transferring such data to the U.S. unless the transfer is covered by the U.S.-EU Safe Harbor.
The Safe Harbor sets out seven principles to which U.S. entities must adhere to allow for transfer of an individual's information from the EU to the U.S. These principles cover:
(1) providing individuals with adequate notice regarding the purposes for which the organization collects and uses the information ("Notice");
...login to read the rest of this article.