Information contained in this publication is intended for informational purposes only and does not constitute legal advice or opinion, nor is it a substitute for the professional judgment of an attorney.
On February 24, 2010, a Milan court convicted Google’s Chief Legal Officer, Global Privacy Counsel, and a former member of Google Italy’s board of directors for violating Italian privacy law and imposed a six-month, suspended jail sentence. The case stemmed from a posting on Google Video® — a YouTube® predecessor — of a video depicting several teenagers bullying a classmate with Down’s Syndrome. Although the Google executives had no involvement in either the posting or in the decision whether and when to remove it, Italian law imposes criminal liability on senior executives for the actions of the corporation. Prosecutors alleged that Google should be held responsible not only for permitting the video to be posted in the first instance, but also for allegedly not having acted quickly enough to remove the video after receiving a complaint.
The convictions have wide ranging implications for e-commerce, but what are the implications for global businesses with employees in the European Union?
First, the Google convictions serve as an important reminder that government authorities in the E.U. are serious about enforcing data protection laws. Thus, U.S.-based multi-nationals need to confirm that their local affiliates are complying with local data protection law. Of equal importance, international transfers of employee data to the U.S. — for example, for inclusion in a centralized human resources data base — must satisfy local data protection requirements. Even after the employee data has been received in the U.S., data protection requirements (in addition to any imposed by U.S. law) will apply.
Second, the Google convictions highlight for U.S. employers a critical distinction between U.S. and E.U. privacy law. Under U.S. law, an employer’s legitimate business interests typically trump an employee’s countervailing privacy interests. U.S. employers, for example, have substantial leeway in conducting workplace video surveillance and searches of employees to prevent theft or deter workplace violence. In the E.U., privacy is a fundamental right that, as the Google convictions demonstrate, does not give way even to the freedom of expression so cherished and zealously protected in the U.S. According to the Italian prosecutor, protecting the dignity of the bullying victim took precedence over Google’s commercial interests, including its interest in being a platform for expression and communication over the Internet.
Finally, “privacy” in the E.U. is conceptually far broader than the “right to be left alone” underpinning U.S. privacy law. In the E.U., “privacy” encompasses the notion of data protection. Consequently, any use of individually identifiable information about a natural person — even a business e-mail address and phone number — is presumed unlawful unless the possessor of that information (known in E.U. law as the “data controller”) has a lawful justification for using the information. This prophylactic approach contrasts starkly with U.S. law which permits the use of personal information at the possessor’s discretion unless the law expressly prohibits or restricts the use. Moreover, such prohibitions and restrictions typically are confined to discrete categories of employee information, such as health information.
In short, the Google convictions should serve as a blinking yellow light to every U.S. employer with operations in the E.U., warning employers to consider potential implications under E.U. data protection law before using individually identifiable information about any employee who resides in the E.U.
This entry was written by Philip L. Gordon.