Why Is Google Dragging Its Heels on European Privacy?

CNIL

By Doug Miller

Last week saw the latest chapter unfold in Google’s privacy battle with the European Union. In October 2012, France’s Commission Nationale de l’Informatique et des Libertes, or CNIL published a set of recommendations, on behalf of 27 European data protection authorities, suggesting that Google should address the “uncontrolled combination of data across services” and other data collection issues in its new privacy policy. The CNIL has now announced that Google has not provided a satisfactory response and it will proceed with recommending “repressive action” against Google. My colleague Jeff Gould published a piece this week on Google’s new battle with Europe and asked the question: who will win? Perhaps an equally interesting question to ask is: why isn’t Google complying with European privacy requests? No one can know for sure what Google’s management is thinking but one set of circumstances may be a factor in its lack of response.

Google’s Business Model

Before looking as these circumstances it is worth reviewing what business Google is in. Google is an advertising company and generates 95% of its revenue selling ads to businesses. Google has been extremely successful with its online contextual advertising business. By combining personal information it has gathered with web session information and browsing habits, it is able to display paid ads that relate to the user’s interests. The more relevant the ads are, the more likely the user will click on an ad at which time Google earns revenue. While Google appears to be involved in many different service offerings, such as Gmail, YouTube, and search, all of these are vehicles for gathering user information which can be used to further enhance the ad business.

One Size Fits All Technology

It is clear that Google has made efforts to use the same underlying technology for each of its offerings across all segments and geographies. These technologies are designed to both deliver the service and to gather user and session information for the purpose of delivering contextual ads. Gmail is a good example. Gmail looks the same regardless of whether you use the consumer version or one of the professional Google Apps versions designed for business, government or education users. While professional users have the option to use Gmail without seeing ads, the ad engine is nevertheless still there and can be turned on by the organization. Even when ads are turned off, Google’s privacy policy still allows it to gather personal and session information for use in displaying ads in other non-Google Apps services such as search. Gmail is available in localized versions but the same user interface and underlying ad engine is used for all versions. Even still, having data mining and the option to turn on ads in a service designed for public sector users seems out of place if not contrary to data protection laws.

Google benefits greatly by using this “one size fits all” model. Instead of engineering different products for different markets, the same technology, which originated as a consumer ad-oriented service, is used across every market. With Google’s increasing reach, the per-user cost of delivering its services is lower than what it is for competitors who have different products for different markets. Plus Google can use user data to generate ad revenue which further offsets its costs and helps to feed the extremely profitable ad business. However, repackaging a consumer product such as Gmail for mission-critical public sector use has not always been successful, as demonstrated by the rejection of Google Apps by the Los Angeles Police Department.

One Size Fits All Policies

Another example of this “one size fits all” strategy is the new Google privacy policy. Instead of having different privacy policies for different services, customer segments and geographies, Google unilaterally imposed a single privacy policy last March that defines how it collects, uses and combines data across all its services. It is important to note that this privacy policy gives Google broad rights to acquire vast amounts of personal and session information, combine it with information from other services and use all this to deliver better ads and improve its products.

The problem is – this type of data collection is potentially illegal in Europe and many other countries. As witnessed with the CNIL statements, which are supported by data protection agencies in 27 European countries, Canada and many Asian countries, Google has been asked to change its privacy policy to conform to local laws. However, to implement these changes, Google would not only have to alter its privacy policy – it would have to substantially customize its technology for each geographical region. Essentially it would have to tune or potentially turn off its data collection engine in order to comply with the law. This breaks its unified service model and would undoubtedly drive up Google’s compliance and engineering costs. But most important, if implemented it would deprive Google of the very valuable information it collects to feed its data-driven ad business.

Without personal data online ads are just ads – not tuned to your tastes and therefore less valuable. So anytime Google is restricted in its ability to gather and use user data or is forced to allow users to opt out, it has less chance of showing a relevant ad and less chance for a revenue event with advertisers – who only pay if the user clicks on the ad.

Ball’s in Google’s Court

While the CNIL has stated it will announce its “repressive action” before summer time, the ball is actually in Google’s court to decide whether it should start making steps to comply with Europe’s recommendations or continue to ignore the data protection authorities and hope for minimal action. After all, the CNIL and the other data protection authorities have limited ability to enforce the law or levy fines. With a possible fine of only 300,000 to 600,000 Euros in each European country, Google may figure that it is better to just consider the fine as a cost of business, pay the fine and carry on as it does now. The lucrative data-driven ad business is much too valuable when compared to a small fine and caving in to the Europeans would set a dangerous precedent for potential actions in other countries. If the Europeans are successful in changing Google’s data collection practices, then even the US might wake up and realize this model is not in the best interests of consumers and businesses. With Google and others now lobbying to soften Europe’s proposed new data protection law, it may find this stonewalling strategy will buy it some time and ultimately pay off. On the other hand, Google may be playing with fire and the end result could be a billion dollar fine.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s