My weekly technology law column (Toronto Star version, homepage version) notes that last week the talk of the privacy world was news that 10 privacy and data protection commissioners – led by Canadian Privacy Commissioner Jennifer Stoddart – had released a public letter to Google CEO Eric Schmidt, expressing concern that the Internet giant was forgetting its privacy responsibilities.
The letter, also signed by the heads of privacy agencies from France, Germany, Ireland, Israel, Italy, the Netherlands, New Zealand, Spain and the United Kingdom, focused on the recent introduction of Google Buzz, a service that offered new social media capabilities. It attracted the wrath of users and privacy advocates after Google automatically assigned users a network of "followers" from among people with whom they corresponded most often on Gmail. Google quickly altered the offending features, but the damage was clearly done, as privacy commissioners from around the world used the incident as the basis for a shot across the company’s bow.
Stoddart's role in the letter is instructive. Fresh off last year's successful showdown with Facebook, in which the popular social media site agreed to alter some of its policies for its more than 400 million users based on a single Canadian complaint, her office has jumped on the technology bandwagon, actively blogging, twittering, and engaging on Internet related issues.
Business reaction to the letter was decidedly mixed, however. Some argued that it foreshadowed potential regulatory action against Google and other major Internet companies. Others were more skeptical, noting that a closer reading of the letter revealed that the commissioners had few specific complaints remaining about Google Buzz, given the changes implemented by the company weeks earlier. Moreover, when asked about the status of the case, Stoddart admitted that there had not been a formal investigation into the matter.
As experts debated the importance of the letter, the longer-term impact may come not from specific actions against a company such as Google (there does not appear to be much likelihood of imminent action) but rather from the realization that the joint effort may represent a major step toward the globalization of privacy enforcement.
The difficulties associated with cross-border privacy enforcement has long been viewed as a particularly thorny issue in a world where data moves effortlessly across borders and private companies retain massive databases containing a myriad of personal information.
The European Union has attempted to address the issue by establishing restrictions on the export of data, requiring that data transfers be limited to those countries with "adequate" privacy protections. Canada has adopted a different approach, eschewing restrictions on data exports but holding organizations accountable for the data they collect, regardless of its location.
Despite efforts to assure the public that these regulatory systems offered effective privacy protections, the reality has been that privacy rules are purely domestic creatures that end at the border. Indeed, only a few years ago, Stoddart's office maintained that it could not even investigate a case involving a foreign-based company.
The joint letter signals a new approach to privacy enforcement, one based on greater cooperation and mutual recognition of common privacy principles. While the specifics of privacy laws may vary, the underlying principles are remarkably similar across jurisdictions. As privacy and data protection commissioners work together on issues with a global impact, they create a new layer of enforcement that could lead to joint investigations and parallel enforcement actions. After years of grappling with the challenges of borderless privacy concerns in a bordered world, that is a development worth buzzing about.