X

Google proposes global privacy standard

Search giant wants standard based on actual harm to consumer, but a privacy advocate says the proposed guidelines are weak.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
3 min read
While Google is leading a charge to create a global privacy standard for how companies protect consumer data, the search giant is recommending that remedies focus on whether a person was actually harmed by having the information exposed.

Google's proposal is scheduled to be presented by Peter Fleischer, Google's global privacy counsel, in a speech Friday in Strasbourg, France, at Unesco's meeting on ethics and human rights. He briefed reporters on Thursday.

The proposal follows the Asia-Pacific Economic Cooperation (APEC) Privacy Framework, which has been endorsed by many of the APEC nations, including Australia and Hong Kong, but not all. China, for instance, does not endorse it, Fleischer said.

"Google believes we need to work together to create minimum global standards, partly by law and partly by self-regulation," Fleischer said in a telephone conference call. "We need a collaboration between government and the private sector."

The APEC framework "promotes a flexible approach to information privacy protection" and is a "practical policy approach to enable accountability in the flow of data while preventing impediments to trade," according to the group's fact sheet. The nine principles of the framework are: preventing harm; integrity of personal information; notice; security safeguards; collection limitations; access and correction; uses of personal information; accountability; and choice.

Under a "preventing harm" principle in the framework, "any remedial measures should be proportionate to the likelihood and severity of the harm," the documents state.

"Privacy standards should focus on actual harms to consumer privacy," Fleischer said. "Other countries have an ideological bent...APEC has a pragmatic focus on privacy harms...not abstractions."

Fleischer has been shopping the idea around, meeting with the Spanish Data Protection Authority a few days ago ("He welcomed it warmly") and the French counterpart, which endorsed it.

Deflecting DoubleClick criticism?
However, a privacy advocate dismissed the move as a desperate attempt by Google to appear to be sensitive to privacy issues amid government scrutiny of its proposed $3.1 billion acquisition of online-ad firm DoubleClick.

Marc Rotenberg, executive director of the Electronic Privacy Information Center, called the APEC Privacy Framework "backward looking" and said it "is the weakest international framework for privacy protection, far below what the Europeans require or what is allowed for trans-Atlantic transfers between Europe and the U.S.," particularly because it focuses on the need to show harm to the consumer. The guidelines were developed before there was data collected on the cost to consumers of identity theft and security breaches, he said.

"Google is under enormous pressure from many countries around the world who are fed up with their arrogance and their unwillingness to make meaningful changes to their business practices," Rotenberg said. "They're also trying desperately to push the acquisition of DoubleClick through the Federal Trade Commission. And they've met enormous resistance."

Fleischer denied that the proposed DoubleClick merger had anything to do with Google's actions.

"(This is) a sustained multipronged effort by Google to improve privacy practices...across the Internet," he said in his briefing. "People expect us to show some leadership. We would do this, regardless of whether DoubleClick were part of the equation."

Google will take its message to the public through a virtual debate it plans to open on YouTube soon, and it will participate in meetings in Montreal on September 24 with global privacy commissioners and in Washington, D.C. in October, Fleischer said.

Also, Google Chief Executive Eric Schmidt "will add his voice to this debate" in the next few days, Fleischer said, declining to elaborate.

Google has been speaking with Microsoft and Yahoo about the matter, and representatives from those companies expressed interest in the effort, Fleischer said.

A Microsoft representative said Google has not discussed its specific proposal with Microsoft but that Microsoft has been working with APEC countries on the privacy framework for a few years.

A Yahoo representative provided this statement when asked for comment: "Yahoo is dedicated to protecting the privacy of our users. It is a cornerstone of the trusted relationship that we have built with consumers. We are involved in a number of discussions, internally, and with others in the industry about the best methods for protecting consumer privacy. Those important conversations will continue in the months ahead."

Fleischer said he was invited to address Unesco at its meeting, which is focused on ethics in the information society, by the French Data Protection Authority. "We were looking for the right forum to launch this (effort) publicly," he said.