By Jennifer L. Saunders
Amid announcements Wednesday by the Federal Trade Commission (FTC) and Google that the two have reached a settlement agreement on privacy issues raised over last year’s introduction of the Google Buzz social network, FTC officials, privacy experts and advocates alike have been weighing in on the implications of the proposed settlement.
Under the proposed settlement, Google has agreed to provisions including the implementation of a comprehensive privacy program to include independent privacy audits for the next 20 years.
In its announcement, the FTC specifies, “The proposed settlement bars Google from misrepresenting the privacy or confidentiality of individuals’ information or misrepresenting compliance with the U.S.-EU Safe Harbor or other privacy, security or compliance programs. The settlement requires the company to obtain users’ consent before sharing their information with third parties...”
FTC Commissioner J. Thomas Rosch issued a separate statement on the proposed agreement, stressing that he has approved of accepting the consent decree for public comment purposes but has concerns that such an opt-in requirement in the agreement “might sometimes be contrary to the public interest.”
Elizabeth Johnson, a partner and the Privacy and Information Security Practice leader at Poyner Spruill LLP, shared insights into the implications of the proposed agreement with the Daily Dashboard following the announcement on Wednesday.
“There are really quite a lot of interesting things in the settlement,” she said, noting, “The requirements related to the implementation of a comprehensive privacy program are fascinating.”
Johnson pointed to the requirements the FTC is calling for to be layered with Google’s wide variety of products and services, suggesting, “The privacy program that should result will be epic in scale. Imagine the job of auditing it every other year for 20 years, even if Google never added another product or service, which is about as likely as the FTC never taking another enforcement action.”
In terms of Safe Harbor, Johnson noted that through this agreement, “the FTC has put some teeth into the notice and choice principles with this action.”
Johnson also suggested the settlement will allow the FTC to advance the concept of privacy by design.
“The requirement that Google must identify privacy risks through an assessment process during ‘product design, development and research’ cries out for a privacy impact assessment and the resultant integration of privacy into products and services at their infancy,” she said.
Katie Ratte of the FTC’s Bureau of Consumer Protection told the Daily Dashboard that the proposed settlement “is groundbreaking for us because it’s the first time we’ve required a company to implement a privacy program to protect consumer data. We think this will help to protect the privacy of millions of consumers who use Google’s products and services. It’s something we called for in the FTC staff report, and we think it’s important for all businesses to incorporate into their business operations today.”
Google Global Privacy Counsel Jane Horvath, CIPP, CIPP/G, told the Daily Dashboard on Wednesday that the agreement is “a very strong consent decree, which will set up bi-annual reviews of our internal privacy process by outside experts—reviewed by the FTC—and mandates affirmative consent before we change how we share or disclose personal information.”
CNET, meanwhile, reports on reactions from both the Electronic Privacy Information Center (EPIC), which had asked the FTC to investigate Buzz, and TechFreedom, which CNET’s Declan McMcCullagh describes as a free-market think tank.
EPIC has called the settlement the FTC’s “most significant privacy decision,” while TechFreedom President Berin Szoka said that, in light of calls for federal privacy laws, the settlement “should remind us that the FTC already has sweeping powers to punish unfair or deceptive trade practices.”
“When companies make privacy pledges, they need to honor them,” FTC Chairman Jon Leibowitz said when the settlement was announced on Wednesday, adding, “This is a tough settlement that ensures that Google will honor its commitments to consumers and build strong privacy protections into all of its operations."
Alma Whitten, director of privacy for Google Product & Engineering, wrote on Wednesday that while Buzz’s launch “fell short of our usual standards for transparency and user control—letting our users and Google down…we are 100-percent focused on ensuring that our new privacy procedures effectively protect the interests of all our users going forward.”
Looking to the future, Johnson said she would expect that if the settlement is finalized, “The implications for the regulated community will be a monumental shift in thinking about how to implement privacy. Privacy impact assessments and privacy by design will no longer be best practices; they will be legally required to ensure that an organization does not run afoul of the FTC Act. Privacy professionals certainly saw that day was coming, but I don’t think any of us expected it would arrive so soon. It effectively arrived today.”
Public comments on the consent agreement are being accepted through May 2.
Staff Writer Angelique Carson contributed to this report.