Google’s global privacy counsel Peter Fleischer is on a crusade to uphold the company’s stance against governments breaching users’ right to privacy. By Malar Velaigam
Internet giant Google is famous for several reasons: its highly popular search engine, its unorthodox organisation structure and its big acquisitions, such as the purchase of YouTube last October.
But since early 2006 Google has more often hit the media headlines for its data protection policies. The company is currently embroiled in ‘regulatory dialogues’ with European regulatory bodies on its data-retention policies.
Given the demanding legal environment in which Google operates, it comes as a surprise that Google’s global privacy counsel Peter Fleischer does not have his own dedicated legal team.
“That’s just the Google way of doing things – we do it a little differently,” explains Fleischer with a hint of a smile. “I’m an unusual function.”
The lone legal head instead has what he calls a “virtual group” of up to 200 lawyers spread across the company. “If there’s a change in HR privacy, I work with the HR privacy team, and so forth,” says Fleischer. “We don’t draw boundaries.”
Fleischer reports to Google’s European director of legal Nigel Jones, who is based in the company’s European headquarters in Dublin. Jones, in turn, reports to Google’s overarching head of legal David Drummond, who is based in the US.
Despite not ‘drawing boundaries’, Google’s legal muscle is broken into five core groups: commercial, product counsel, public policy and government relations, and what Fleischer refers to as “local GCs”, which are general counsel who oversee legal issues pertaining to the country in which they are based.
Under this structure – or lack thereof – Fleischer is able to draw on lawyers from across the entire company to work on specific jobs as and when the work arises. “I’d say that about one-third to 10 per cent of our lawyers’ time goes on privacy,” says Fleischer.
The debate between privacy and security has become increasingly heated and complex in light of international security concerns. Terrorism concerns are currently hampering talks with international governments aimed at striking a balance between the privacy of people who are online and government surveillance.
“Last year the [US] Department of Justice [DoJ] asked Google to hand over details of confidential logs of searches,” explains Fleischer.
This was part of an American Civil Liberties Union lawsuit seeking to overturn a child pornography law, in which several internet search engines were subpoenaed by the US DoJ in January 2006 to release millions of search queries. Microsoft’s search engine MSN, AOL and Yahoo! all complied by releasing data to the government.
Google shocked the authorities and its critics by refusing to submit the logs that record what people have searched for through its internet search engine. The company then proceeded to fight the order in court.
“We felt that the [US] government had no right to ask for information on everyone that had searched through the engine,” says Fleischer. Keker & Van Nest partner Ashok Ramani, who was seconded to Google as a commercial litigation counsel, acted on the case.
Fleischer says the cause of these differing standpoints is that European data protection laws were established in 1995, a time when the internet was just taking off.
Under the EU Data Protection Directive a number of ‘regulatory hurdles’ were placed in the way of cross-border data transfer. As such, while data transfer within the EU is a relatively simple process, data transfer into and out of the EU is subject to a myriad of regulatory obstacles. This is exacerbated by the fact that the US does not have any equivalent legislation, instead relying on a self-regulating system.
Fleischer says that although amendments have been made to provisions under the EU directive to combat this, the fundamentals of the directive still need to be updated. “The directive hasn’t evolved in tandem with the technology. It has to be simpler and more consistent,” says Fleischer.
Amid this regulatory climate and in a bid to convey its “respect for user privacy”, Google changed its data retention policy in March 2007 to ‘anonymise’ all server logs after 18-24 months. This means that information about search queries can no longer be identified with individual users after that time period.
The move was watched closely – and widely criticised. Privacy experts argued (and still argue) that the timeframe is too long, while security experts conversely contend that it is too short. Google was, meanwhile, adamant that it struck the right balance between privacy and transparency.
The argument still rages, and Fleischer is clear that changes to data protection regulations are likely to take some time as talks with policy leaders remain slow-going. In the meantime, his hands are well and truly full.
Global privacy counsel
|Title:||Global privacy counsel|
|Reporting to:||European director of legal Nigel Jones|
|Number of employees:||13,786|
|Legal capability:||‘Virtual’ team of up to 200 lawyers|
|External legal spend:||£1m-£2m|
|Main law firms:||Hunton & Williams|
|Gareth John’s CV:||