Out-Law / Your Daily Need-To-Know

Out-Law News 2 min. read

Buzz breached privacy and Safe Harbor programme, says FTC


Google misused customers' personal information when it used data collected by its Gmail service in its social network service Buzz without permission, US consumer regulator the Federal Trade Commission (FTC) has said.

That use was a breach of the Safe Harbor programme for keeping the details of EU citizens safe, the FTC claimed. It is the first time the FTC has charged a company with breaching a Safe Harbor agreement.

Google's privacy policies said it would ask permission before using information collected for one purpose for another, but it made use of Gmail data when launching Buzz, the FTC complaint said. The launch led to thousands of consumer complaints about the use of personal information.

Google has settled the case with the FTC by promising to conduct privacy audits every two years for 20 years; promising not to misrepresent the way it deals with personal data; and promising to obtain explicit consent before sharing users' information with other companies.

The Safe Harbor scheme is an agreement drawn up between the European Commission and US Department of Commerce that allows for the transfer of personal data from Europe to the US where data protections meet EU standards.

Google failed to give notice to customers that their email contacts would be shared with other users if they chose to sign up to Google Buzz when it launched in 2010, the FTC complaint said.

Customers were unable to fully opt-out of Buzz even though Google led people to believe they could, the FTC said.

When Google Buzz was launched Gmail users got a message announcing the new service and were given two options to either open Buzz or return to the inbox. Users who clicked to 'check out' Buzz were not adequately informed that the identity of regular email contacts would be made public by default in the new service, the FTC said.

Clicking on the 'return to inbox' option did not prevent some users being signed up to some features of Buzz, whilst the 'Turn Off Buzz' option did not fully remove the user from the social network, the FTC said.

In the EU companies are prohibited from transferring personal data to countries outwith the European Economic Area (EEA) unless there is adequate protection for that data.

US organisations who conform to the protection requirements in the Safe Harbor scheme are deemed as having met European safety standards outlined in the Data Protection Directive.

To qualify for the scheme a US organisation must develop its own self-regulatory privacy policy, join an existing privacy programme, or be subject to a statutory or law body which achieves the same standards as those set in the Safe Harbor scheme.

Member firms are audited annually to ensure they are complying with their commitment to the privacy of data transfers.

Pinsent Masons and AmberhawkTraining will be running a data protection law update session on 11 April. Details and booking information (4-page / 164KB PDF)

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.