Skip to main content

As any business knows, it is indeed a small world after all.  And the FTC’s recent settlement with Google related to the launch of its Google Buzz social network demonstrates why it’s important for companies to think about the global ramifications of their privacy practices.

In addition to concerns about allegedly deceptive representations in the company’s privacy policy and misleading practices that exposed information to public disclosure without adequately informing Gmail users, the Google case is the FTC’s first action charging violations of the terms of the U.S.-European Union Safe Harbor Framework.

In place since 2000, the Framework offers American companies a voluntary method for transferring personal data outside the EU in a way consistent with the EU’s Data Protection Directive.  To qualify for the Safe Harbor, a company must self-certify to the Department of Commerce that it complies with certain standards — including specific provisions mandating notice to people about how their information will be used and the opportunity to opt out of having their info disclosed to third parties.

Google has self-certified since 2005 and expressly said in its privacy policy:  “Google adheres to the US Safe Harbor Privacy Principles of Notice, Choice, Onward Transfer, Security, Data Integrity, Access and Enforcement, and is registered with the U.S. Department of Commerce’s Safe Harbor Program.”

But according to the FTC’s complaint, by not giving Gmail users notice and choice before using their information to populate its Google Buzz social network, the statement in the company’s privacy policy was false or misleading, in violation of the FTC Act.

The big picture for businesses:

  • Statements in privacy policies are claims that have to be truthful and substantiated; and
  • Privacy practices can have implications beyond U.S. borders.

Next:  The terms of the Google order


Get Business Blog updates