At the same time, one of the most powerful aspects of the Internet is its ability to personalize information for each particular user. Personalization allows consumers to receive the information, content, and products they want. The same holds true for online advertising. Targeted online advertising benefits consumers by showing them ads that are useful, relevant, and pertain to their particular interests.
California has a way of inventing things that turn out to be popular around the world (hey, not just Google). California passed the first so-called security breach notification law, in 2002. To date, 39 U.S. states have enacted laws that require notice if some form of personal information is compromised in a data security breach.
Since then, the trend has gone global. In August, the Office of the Privacy Commissioner of Canada issued guidelines on how to handle a security breach, which are just that – guidelines – but provide sensible recommendations for the handling of security breaches, including the notification to affected individuals where a breach creates a risk of harm. The logic behind the Canadian approach is that prompt notification to individuals in these cases can help them mitigate the damage by taking steps to protect themselves. New Zealand has followed a similar line by issuing guidelines on how to handle privacy breaches, which also focus on the role of notification to avoid or mitigate harm to individuals.
This trend is about to come to Europe too. The European data protection directives do not have any express provisions requiring companies that have suffered some sort of security breach to notify the individuals affected. The traditional thinking is that Europe does not need such a measure because there is already a well known obligation that calls for the adoption of appropriate technical and organisational measures to protect personal data against security breaches.
However, a European Commission consultation document of 2006 hinted at the prospect of security breaches notification obligations for providers of electronic communications networks and services, on the basis that network operators and ISPs, as the gatekeepers for users’ access to the online world, carry a special responsibility in this regard. This was followed by recommendations made by the Article 29 Working Party to extend those obligations to "data brokers," banks and other online service providers. The Working Party went on to say that for important breaches, all customers of the communications provider – not just those directly affected – should be informed.
The European Commission is now expected to include a formal proposal introducing mandatory security breach notifications or otherwise, into its review of the EU’s e-communications regulatory framework. Bearing in mind the experiences in other parts of the world and the latest thinking in jurisdictions like Canada and New Zealand, the risk of harm to the individual should be a determining factor in triggering notification obligations. Otherwise, the real risk is to trivialise notification obligations to such an extent that they become meaningless and ineffective in terms of data protection. In fact, the potential damage to consumers of a blanket notification obligation could be twofold: on the one hand, it can create unjustified anxieties and on the other hand, it may result in a lack of proper attention to more serious incidents.
A recent article about our treatment of a political ad placed on Google suggested that we make decisions about advertising content based on the political viewpoint of the advertiser and the ad. This is simply untrue. We do not accept or reject ads based on the political opinions expressed in the ads or the political views of the advertiser.
Let me explain the facts behind the matter and the policy behind the decision.
Recently, representatives of Senator Susan Collins' Senate re-election campaign tried to place an ad on Google that included a reference to MoveOn.org, a political group. The text of this ad was rejected by our system because of our trademark policy, not because of its political content.
Under our trademark policy, a registered trademark owner may request that its mark not be used in the text of other parties' ads. Some time ago, MoveOn.org submitted a request to Google that its trademark not be used in any ads, and as a result our advertiser support team offered instructions on how Senator Collins' campaign could edit and resubmit its ad.
Any company or organization -- regardless of political affiliation -- could do what MoveOn did and thereby prevent advertisers from running ads that include their trademarks in ad texts. And that's very important. The ad in question could have said that MoveOn.org was great, or even just so-so, and our policy would have resulted in the same outcome; Google would have asked the advertiser to drop the trademarked phrase.
Our trademark policy is considered one of the least restrictive in the industry. It strikes a balance among the interests of users, advertisers, and trademark owners by leaving it up to trademark owners to notify us of restrictions on their registered trademarks. Any entity that demonstrates to us that it owns trademark rights can request that its trademarked terms not be used in the text of Google ads.
We are committed to fairness and freedom of expression, and we recognize that the nature of political advertising is to inspire debate. We look forward to engaging in this debate in an open and transparent fashion, and we encourage political candidates and campaigns to contact our elections team with any questions they may have about our policies.