Paying Lip Service to PrivacyAttorney Details Steps for Organizations to Fill Privacy Gaps
News of Google's $22.5 million settlement with the Federal Trade Commission has come and gone, yet privacy issues reflected in the case remain a concern. Where are the gaps and how can companies fill them? Attorney Francoise Gilbert offers details.
In an interview about the legal ramifications of the Google case, Gilbert discusses:
- The FTC's message in cracking down on Google;
- How organizations need to respond to this case;
- The important takeaways for privacy professionals.
Gilbert has extensive experience with data privacy and security issues as well as Internet, e-business and information technology law. Her clients include Fortune 500 and other global corporations, as well as emerging technology start-ups. She advises companies on how to strategically manage their privacy, security, electronic workplace and e-business risks; develop and implement information privacy and security strategies and compliance programs; and integrate privacy and security in mergers and acquisitions, outsourcing, marketing and other relations.
She regularly addresses a wide range of privacy and security issues, including compliance with HIPAA, COPPA, CAN SPAM and security breach disclosure laws; implementation of FTC or HIPAA security safeguards; U.S. Department of Commerce Safe Harbor self-certification; compliance with foreign data protection laws (Western Europe, North America and Asia Pacific); and cross-border data flow issues.
FTC Google Action
TOM FIELD: I would like to hear your immediate reaction to the news of this assessment, and I know you've got a particularly unique angle that you're concerned about.
FRANCOISE GILBERT: Not really concerned about, but I think it opens new ways for us to think about compliance with privacy. Very frequently, we look at privacy as something that's expressed in the official privacy statement that's published on a website. And with this case, one of the aspects of the FTC complaint touches on something else, another aspect of privacy, and I think that this is something very interesting to look at. Beyond the hype of the fine and the fact that Google was fined for repeated violations - which is more or less a Google matter - I think that we as lawyers need to read beyond that and see the aspects of this case that apply directly to our clients. Beyond the fact that if you're a repeat offender you may be facing a huge fine, what should you be doing for not being in trouble?
FIELD: That's a great point. I would like to talk with you about it some more. Let's take a step back for a moment. Help put this in context for us. The FTC has made significant news that this is the biggest assessment ever against an organization. Why this case?
GILBERT: Because Google is a very important company. Whatever Google's doing is something that represents ... the voice of America, if you want. So if the FTC wants to show to the world that it's serious about privacy, if the U.S. government wants to show to the world that it's serious about privacy, it has to have important cases. It has to penalize the well-known companies and definitely Google is one of the flashy companies throughout the world. If you go in the middle of Zimbabwe, I'm sure that they've heard of Google. And so, Google represents America. America has to show that if something happens, there's going to be a stick and that companies who don't comply with the rulings will be prosecuted. So I think it's a message to the world.
Now, beyond that, it's also another message of if you have gone through one consent decree with the FTC, you better behave. In Google's case, it did not obviously according to the observation and the investigation, and so that's also important because it gives teeth to the original enforcement order. How good is it to go through an enforcement action and to have companies make promises if as soon as you turn around the company just disregards this requirement and does what it pleases?
FIELD: As an attorney, what do you see as potential legal ramifications for guarding privacy by the FTC putting a stake in the ground here?
Message to Privacy Professionals
FIELD: That's the message to organizations. What's the message to privacy professionals? What should they be taking away from this and thinking about as they go forward professionally?
So for us as professionals, we applaud the verdict here because it shows that we were right when we were telling our clients that privacy's important and that they should compare the representations they've made with their actual practices. As we say in our business, "Say what you do and do what you say you do."