Breach of Consent or EPIC Fail?

By Dan McPheeters

As we touched on in our prior post, the Electronic Privacy Information Center (EPIC) has filed a lawsuit against Google alleging that the controversial new privacy policies that were implemented on March 1st violated the consent decree Google entered into with the FTC last October. The lawsuit was subsequently dismissed when a District Court judge agreed with the FTC that Courts lack the authority to force a federal agency to take action under a consent decree; however, since EPIC is appealing the ruling, the legal question posed by the lawsuit is still relevant. Interestingly, while the FTC has yet to take any formal action against the search giant, key officials have made their feelings known and they are not favorable to the once-beloved tech icon. Moreover, an analysis of the consent decree itself can help shine a light on whether Google has actually done anything wrong in implementing its new privacy policy.

The consent decree at the heart of this issue was entered into to avert further legal action against Google for perceived flaws in its handling of user information gathered by the now-defunct Buzz application. The full text can be found here. At the outset, the agreement explicitly denies wrongdoing on the part of Google, though the FTC is careful to state (and to have Google agree) that it had “reason to believe that [Google had] violated the Federal Trade Commission Act.” This is jurisdictional language that basically prevents Google from challenging the consent decree or the investigation as a whole as beyond the FTC’s authority. Boilerplate, yes, but it gives a strong indication of the purpose of the agreement. Here, it appears that while Google had not crossed a line, or else had entered into a realm that was not “illegal,” they had come sufficiently close that the FTC decided that it needed to step-in. Neither side wanted to engage in the bruising litigation that was sure to follow, and a compromise was struck that ensures Google’s actions are well within established legal limits, while giving the FTC a non-statutory remedy it may not otherwise have in the event they do not.

The content of the decree covers four primary areas: the communication of privacy policies to Google’s users; the implementation of on-going quality control measures to track and improve user privacy protections; third-party audits of the privacy policies and control measures; and record-keeping. The record-keeping provision is ministerial, and not relevant to the overall discussion here.

In communicating its privacy policies to users, Google is affirmative prohibited from misrepresenting “in any manner” the scope of information gathered, Google’s compliance with a privacy regime “sponsored by the government or any other entity,” and the extent to which consumers can control the “collection, use, or disclosure” of information gathered by Google. These are basic anti-fraud provisions, but the “in any manner” language strives for maximum transparency while likely placing a “plain language” requirement on Google’s communications to and agreements with its users. This latter point is borne out in Section II, which imparts on Google the duty to communicate any changes to its information disclosure policy to users independent of any prior end user-type agreements. In short, any time Google adjusts its policy with respect to selling or utilizing information with third parties, the company must share those changes with users. Google must also await an affirmative “opt in” from its users prior to disclosing or sharing information under the new policy.

Google is also bound to create a comprehensive privacy program that addresses risks to consumers and protects the privacy of information gathered by the company in a way “appropriate to [Google’s] size and complexity.”  To this end, the company is required to hire a third-party consultant, approved by the FTC’s Associate Director of Enforcement, to provide assessments of its privacy control and assessment systems. This consultant is required to provide a biennial reports that explain and certify the systems and their compliance with this decree.

Understanding this agreement begins with acknowledging what it does NOT do; nowhere does this consent decree dictate a specific provision to Google’s privacy policies, absent the mandatory “opt in” item. Further, the bulk of the decree outlines a quality control and risk management system that Google is obliged to establish and will be subjected to 3rd party review. The third party review is critical; while the agreement allows Google to continue operating substantively as before, the assessments provided by the consultant will carry tremendous evidentiary weight. Because the consultant will be a “qualified, objective, independent third-party professional,” the FTC will get to apply a “reasonable person” test to Google’s controls by virtue of their ability to select the consultant who will render opinions, without subjecting the reports to a negative light in later litigation by reason of their being prepared by an agent of one of the parties to the dispute. This will likely force Google into relying on more conservative interpretations of and approaches to its privacy regime and restrain its expanding ability to gain access to users data, which were the primary goals of the FTC’s investigation in the first place.

This brings us back to the question of whether EPIC has a legal leg to stand on in its lawsuit. The answer clearly seems to be no. As mentioned, the consent decree does not mandate any specific terms to Google’s privacy policies, with the exception of the “opt-in” provision. It also, very carefully, avoids establishing a standard by which the any of Google’s or the consultant’s obligations will be evaluated in the context of the decree. This means that the FTC’s evaluation of the decree, and decisions as to its enforcement, are entirely discretionary. Assuming EPIC can get past the standing question, there is no standard to which EPIC can hold the FTC in judging the CONTENT of Google’s privacy policy itself. Thus, the suit should fail for lack of justiciability.

Given the publicity surrounding Google’s updated privacy policy and the updates sent to its users (of which this author is one), it seems unlikely that the policy violates the consent decree, absent a negative assessment of its appropriateness from the 3rd party consultant. However, this will probably not quiet the critics. Privacy is being eroded in many ways, but few profit from watching our activities in the same way or degree as Google. It seems somewhat understandable that feeling like data mines whose existence is boiled down into activities that can be tracked and sold to advertisers would rub some people the wrong way, but that is far different from alleging illegality. And, at least with respect to the consent decree, it does not appear that the new privacy policy has crossed the latter threshold.

In our next post, we will look at Google’s troubles in the EU, where it seems that claims of illegality have a stronger legal basis.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s