Part 2: Privacy Approaches Applied
This is the second post in a three-part blog post examining privacy issues confronting multinational corporations in a global economy. The first post explored privacy generally by analyzing privacy as the concept is understood and applied in the European Union, in China, and in the United States. This post will assess the experiences of Google and McDonald’s in adhering to privacy regulations while operating on a global level in attempting to comply with the three privacy regimes described in the first post. The third post will provide recommendations on privacy strategies companies can implement to mitigate some of the issues identified in the second post. These posts do not attempt to provide an exhaustive list of privacy issues multinational corporations encounter, but they are intended to show the importance of privacy concerns and to highlight the need to confront compliance issues in a proactive manner.
Introduction
“[I]n times of globalized business operations, a company’s business strategy in one market might affect the standard against which the company is measured in other markets and jurisdictions.”[1]
As the first post in this series discussed, privacy regimes vary according to geography, societal values, and historical contexts. Companies operating in multiple jurisdictions have to function in these varied privacy regimes, and it is not always a simple task. As the following case illustrations demonstrate, compliance with one privacy scheme raises the possibility of violating the privacy regulations in another jurisdiction. The first case illustration depicts Google’s troubles in Italy following its activities in China. The second case illustration explores McDonald’s struggles in complying with mandatory whistleblowing requirements in the U.S. that were in violation of E.U. privacy laws.
Unexpected Consequences: Google in Italy and China
The Setting
On February 24, 2010, three Google executives were found guilty of violating the privacy of a child. The controversy started in 2006 when a video was uploaded to a site owned Google featuring a group of teenagers insulting and assaulting an autistic boy, specifically calling the boy a “mongoloid.”[2] After it was uploaded, the video became popular enough that it was ranked as “the funniest video on Google Italia. It was rated 29th of the most downloaded videos on Google Italia.”[3] Although Google removed the video within hours after being notified that it infringed on the victim’s privacy, the damage was already done.
During the trial, the Google executives were charged with, among others, violating the victim’s privacy rights, though the Google employees were only found guilty of the privacy charge. At the heart of the ruling was Google’s AdWords program, which placed advertising on the side of the screen when users watched videos on the Google-operated site. The court found that the video contained personal information based on the use of the word “Mongoloid.” According to Directive 95/46/EC of the European Parliament and of the Council, discussed in Part I, personal information is prohibited from being shared without the subject’s unambiguous consent. Because Google permitted the content of the video to be shared and derived a profit from sharing such information in the form of revenue generated from the AdWords program, the court determined that Google had violated the victim’s right to privacy.
The Google executives unsuccessfully argued that they fell under an exemption for personal liability found in the Directive 95/46/EC of the European Parliament and of the Council. Paragraph 47 of Directive 95/46/EC excuses liability for those who merely serve as a vehicle to transmit personal data, as opposed to those providers who actually control the transmission of personal data.[4] The court dismissed this argument, finding that Google has increasingly taken on a more active approach in the services it provides.[5] The Court relied primarily on the fact that Google’s revenue from its AdWords program is proportionate to the popularity of a given video. Because the video was popular and because Google had the potential of deriving greater profits based on that popularity, the court reasoned that Google obtained profit, through it AdWords program, at the expense of a violations of the victim’s privacy rights.[6] Google’s active approach to providing services, rather than simply its role as a passive vehicle for the transmission of data, is evidenced by its activities in China, on which the prosecution rested its case.[7]
Google as a Content Provider
When Google launched its services in China in 2005, the company modified its search algorithm to exclude controversial topics, such as information relating to Tiananmen Square or the Falun Gong movement. The main draw of the Chinese internet market is its colossal size; the population of internet users in China was estimated at 384 million in 2010, which was more than the entire population of the United States at the time. In order to tap into such a massive market, Google had to comply with China’s internet censorship protocol, known colloquially as “the Great Firewall.” The Great Firewall is but a part of the Chinese government’s attempts to censor information domestically and abroad, and tens of thousands of Chinese workers are employed to ensure that sensitive information is restricted from general access. In order to adhere to such China’s censorship regime, search engines in China, like Google, are prevented from linking to sensitive information. In 2010, Google moved its services for operations in China to Hong Kong, which allowed Google to stop its self-censorship, though the content accessed through Google’s services was still filtered in mainland China. The move to Hong Kong was seen as a partial retreat from Google’s stance of filtering the content it provided. Thereafter, Google actively sought to promote freedom of information on the internet by informing the Chinese population that they would likely experience short breaks in their connection when searching for prohibited content, although this practice was quietly abandoned in January 2013.
Although there was general disagreement with Google’s censorship policy in China, resulting in claims that Google’s modifications in China contradicted Google’s core value of “don’t be evil,”[8] the decision to restrict user access to the content Google provided also had another, more insidious component; it pushed Google’s activities from a “mere conduit of information” toward becoming a “full-fledged media company.”[9] Google has a long-standing tradition of insisting that it “is not a media company, that its [sic] organizes and manages content, but stays away from producing it.” This mantra is being tested, however, as Google expands into offering more services and products. “[I]t may be time to retire the trope,” says a Forbes article, indicating that any argument over Google’s media company status is now moot. Google’s image as a passive conduit for unfiltered media has been questioned when it attempted to buy a social-networking site, its launch of a magazine, and its operating of a recipe-sharing site. However, it was Google’s censorship activities in China that raised serious questions to the Italian court about Google’s passive role in the provision of internet content.
The Court Decision and the Aftermath
David Thorne, the American ambassador to Italy during the time of the 2010 case against the Google executives, stated in response to the Italian court’s decision that he disagreed with the idea that “Internet service providers are responsible prior to posting for the content uploaded by users . . .” During the case, Google argued in its defense that their and other search engines’ activities would be significantly impacted if an internet company could be liable to for the content uploaded by third parties. The winning argument for the prosecutors took a contrary view; if Google was able to filter the content it provided in China, it could do the same in Italy to “protect human dignity.” Alfredo Robledo, prosecutor against Google, stated that the case was not about the freedom of the internet, but rather human dignity; “[t]he rights of a business enterprise cannot take precedence over the dignity of the individual.”
The Italian court’s decision finding the Google executives guilty was overturned in December 2012. The initial guilty verdict had raised concerns about internet freedom in Italy. Under E.U. law, internet service companies that merely serve as a conduit for information are exempt from liability for the content uploaded by third parties.[10] Under the lower court’s decision, this exemption from liability would be significantly narrowed to those few internet service companies who do absolutely nothing more than provide access to information. The appeals court rejected the narrow reading of the hosting exemption and instead adopted a position imposing liability only for companies that “host user-generated content” and fail to act once illegal content had been uploaded to the provider’s site. In the Google case, this meant that the executives would only be liable if they failed to remove the video despite having received notice that it violated the victim’s privacy rights. Because Google removed the offensive video within hours of receiving notice of a violation of the victim’s privacy, the appeals court reasoned that Google was not liable. The reasoning of the appeals court was upheld by Italy’s highest court in December 2013.
Clash of Regulatory Schemes: McDonald’s in France
The Setting
In January 2005, McDonald’s France, the French division of McDonald’s global operations, sought an opinion from France’s privacy regulatory body, the Commission Nationale De L’informatique et des Libertés (“CNIL”), in regard to creation of a system of “professional integrity.”[11] The professional integrity plan would have permitted McDonald’s France employees to report any misconduct anonymously. Any reported misconduct, including questionable accounting practices and internal control over accounting or auditing methods, would have been processed in the U.S. and reported to the general counsel of McDonald’s France. McDonald’s France requested the opinion for its professional integrity plan at the behest of its U.S. parent corporation in an attempt to comply with provisions of the Sarbanes-Oxley Act (“SOX”). Although McDonald’s France requested the opinion before it had actually implemented its proposed professional integrity plan, the CNIL refused to authorize any such “whistleblower” hotline. The CNIL’s decision to reject McDonald’s France’s proposal made it impossible for its U.S. parent corporation to comply with its obligations under SOX.
Sarbanes-Oxley
To truly understand the obstacles McDonald’s France was facing, it is important to explore SOX in more depth. Following the Enron and WorldComm scandals, Congress enacted SOX in order to improve the accuracy and reliability of corporate disclosures. Among the many provisions Sox introduced, of particular importance to McDonald’s was the SOX requirement that companies must create and apply procedures for the confidential, anonymous reporting of questionable accounting or auditing controls.[12] Further, SOX mandates that employees reporting on such practices must be protected from retaliation for their disclosure activities.[13] That these requirements apply to U.S. companies is apparent, but it is far less certain whether these requirements apply extraterritorially as well.[14] Because of this uncertainty, many multinational corporations, such as McDonald’s, determined that it would be prudent to act as if SOX applied to all of their operations, including subsidiary operations in foreign jurisdictions.[15] Therefore, McDonald’s France’s professional integrity plan, calling for anonymous reporting of confidential information regarding misconduct, is best understood in the context of an American parent corporation, McDonald’s in the U.S., attempting to comply with the SOX requirements in every geographic region of its operations.
French Agency’s Determinations
The CNIL review of McDonald’s France’s proposed professional integrity plan found that the plan involved the collection of personal information and that McDonald’s France was a “controller” of personal data. According to Article 2(d) of the E.U. Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data and French law implementing the Directive, controllers of personal data are permitted to “collect and process personal data in order to satisfy legal obligations to which they are subject.”[16] Because McDonald’s France employees participated in the professional integrity plan, the CNIL determined that McDonald’s France was a controller of personal data and that the CNIL had authority to make findings on whether the professional integrity plan complied with the law.[17]
The CNIL ultimately concluded that McDonald’s France’s professional integrity plan involved violations of the law. Of primary concern to the CNIL was that individuals alleged to have participated in misconduct, as disclosed by whistleblowers, would be unable to “hear or reply to the accusations made against them.” The CNIL determined that the policy behind French data protection laws, and the E.U. laws by extension, are to ensure that citizens know who possesses their personal information, to be informed about who has access to that information, and that citizens can take remedial measures to correct any false information. Because anonymous and confidential reporting of personal information would not allow for the requisite transparency in regard to personal information, the CNIL determined that the professional integrity plan “could lead to an organized system of professional denunciation.”
The CNIL also determined that McDonald’s France’s system was disproportionate to the objectives it sought to accomplish. Noting that “other legal means exist to guaranty [sic] compliance with legal provisions and company rules,” the CNIL found that the risk of professional denunciation and the “stigmatization of employees” was greater than the need for the professional integrity plan’s reporting system.[18] Although the CNIL was aware of the obligations imposed by the SOX provisions when it denied McDonald’s France’s application for permission to implement the professional integrity plan, the decision did nothing to ameliorate McDonald’s conundrum of seeking to comply with SOX and French privacy laws.
Aftermath of Determination
After the McDonald’s France ruling, the CNIL attempted to provide some guidance in how to comply with SOX whistleblowing requirements and French privacy laws. In November 2005, the CNIL indicated that whistleblowing procedures may be implemented but only as long as they are voluntary and are a supplement to other means of communication within a corporation. Further, the November 2005 guideline document stated that “a whistleblowing system may only be considered as legitimate if it is necessary to comply with a legal obligation.” Because the November 2005 guidance document was limited and left important issues unresolved, the CNIL released a whistleblowing directive in December 2005. The directive explains that whistleblowing procedures are permissible so long as they strictly comply with the directive’s requirements. Among the many items addressed in the December directive, one important requirement is that whistleblowers are obligated to identify themselves, and that this identification remains confidential.[19] The directive also allows for two instances where a whistleblower may remain anonymous: when precautions are properly taken in processing the information and when the company does not promote anonymous whistleblowing.[20] Although the December 2005 directive obviates some of the confusion surrounding compliance with French laws while still adhering to the SOX requirements, McDonald’s France still must ensure that the SOX compliant whistleblower procedure it adopts is similarly compliant with French regulations concerning privacy.
Conclusion
Both Google’s and McDonald’s experiences illustrate the complications that arise when operating in a global marketplace. In Google’s experience, its actions in China had a direct impact on the liability it faced in Italy for privacy issues entirely unrelated to its operations in China. In McDonald’s experience, its attempts to comply with U.S. regulations resulted in a direct conflict with the privacy regulations in France. Although both of these examples have been ameliorated to a certain extent, Google’s executives were relieved from liability by Italy’s highest court and McDonald’s is able to better comply with French privacy regulations due in large part to clarifications of the law, these examples serve to illustrate the complexities inherent to operating in multiple jurisdictions with many varied, sometimes even competing, privacy regulations. This dilemma, encountered by every company multinational corporation, must be addressed, and the final installment in these blog posts will offer potential methods for addressing privacy issues in an effective manner.
Greg Henning is a 3L at the University of Denver Sturm College of Law and a General Editor for the View From Above.
[1] David Scheffer & Caroline Kaeb, The Five Levels of CSR Compliance: The Resiliency of Corporate Liability Under the Alien Tort Statute and the Case for a Counterattack Strategy in Compliance, 29 Berkeley J. Int’l L. 334, 394 (2011).
[2] See Raul Mendez, Google Case in Italy, Int’l Data Privacy L., Feb. 25, 2011, http://idpl.oxfordjournals.org/content/early/2011/02/25/idpl.ipr003.full#xref-fn-1-1.
[3] Id.
[4] See Council Directive 95/46/EC, ¶ 47, 1995 O.J. (L 281) 31, 36.
[5] See Mendez, supra note 2.
[6] See id.
[7] See Sheffer & Kaeb, supra note 1.
[8] Google has limited its activities in China but still complies with Chinese authorities in restricting content. See Mic Wright, Google Shows China the White Flag of Surrender, The Telegraph (Jan. 7, 2013), http://blogs.telegraph.co.uk/technology/micwright/100008624/google-shows-china-the-white-flag-of-surrender/
[9] Sheffer & Kaeb, supra note 1.
[10] See Council Directive 95/46/EC, ¶ 47, 1995 O.J. (L281) 32, 36.
[11] Marisa Anne Pagnattaro & Ellen R. Peirce, Between a Rock and a Hard Place: The Conflict Between U.S. Corporate Codes of Conduct and European Privacy and Work Laws, 28 Berkeley J. Emp. & Lab. L. 375, 411 (2007).
[12] See 15 U.S.C. § 78j-1(m)(4)(B) (2010).
[13] See 18 U.S.C. § 1514A (2010).
[14] See Donald C. Dowling, Jr, Sarbanes-Oxley Whistleblower Hotlines Across Europe: Directions Through the Maze, 42 Int’l Law. 1, 7 (2008) (“But our SOX hotline question here is international: Whether SOX’s mandate of “confidential, anonymous” employee reporting “procedures” extends as well to “employees” of SOX-regulated companies (and their subsidiaries) who work and live abroad.”).
[15] See id. (“But contrary to the widespread assumption of countless U.S.-based multinationals examining this issue, a viable argument exists that the Section 301 “complaint procedure” mandate is confined to “employee” populations working on U.S. soil.”).
[16] See Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data art. 2(d), Jan. 28, 1981, E.T.S. 108.
[17] See Pagnattaro & Pierce, supra note 10, at 412.
[18] See id. at 413 (“In other words, the harm that could be caused by a slanderous accusation–to which the employee may not be able to adequately respond–was too great a burden and outweighed the justifications for the hotlines.”).
[19] See id. at 421.
[20] Id.