Member Article

Data protection: Google it!

David Ashplant, corporate partner at Lester Aldridge LLP, looks at changing data protection laws.

Data protection law has been with us for almost 30 years but perhaps it is now finally coming of age with news that the data protection authorities in various EU countries are launching joint action against Google for alleged breaches of data protection laws.

With the exponential increase in the use of the internet in recent years, there has been a consequential massive increase in the amount of personal data being collected and used. Personal data has significant financial value and so businesses are naturally keen to exploit that.

Google has come under the spotlight for merging data held across its various services such a Gmail and YouTube. Users have no right to opt out and the authorities think there is a high risk to the privacy of individuals. The authorities believe Google is collecting excessive amounts of information on users’ activities on the internet, keeping the information for too long and not giving users enough control over how it is used.

The UK’s data protection enforcer, the Information Commissioner (‘IC’) can issue enforcement notices for breach of the law and, for a serious contravention, impose a fine of up to £0.5 million. New EU rules could soon empower authorities to impose fines of up to 2% of global turnover, which would be about $760million in Google’s case.

But the law doesn’t just apply to the likes of Google, every business needs to comply. Before obtaining or using personal data – basically data that enables someone to be identified – a business must notify the IC of the data the business will be processing and the purposes it will be used for and that notification needs to be kept up to date. Failure to notify is a criminal offence.

In addition, businesses must comply with the data protection principles which include:

• Processing must be fair and lawful: for example, people should not be misled about what their data will be used for. Many companies use privacy policies on their websites and opt in or opt out check boxes to help ensure they comply with the law. With “sensitive” personal data ( e.g. relating to race, health and sexual life) explicit consent is required;
• data collected should be relevant and not excessive;
• data should not be kept longer than necessary; and
• data should not be transferred outside the European Economic Area except in certain circumstances.

Regardless of the outcome of the Google case, the publicity it is attracting will greatly increase awareness of data protection law and the likelihood of individuals taking up their grievances. Ignorance of the law is no excuse and even if a fine is avoided, adverse publicity about a company’s data protection compliance can do untold reputational damage which in turn is likely to damage turnover and profits.

This was posted in Bdaily's Members' News section by Lester Aldridge LLP .