I find this case extremely fascinating on many levels. From eWeek:
officials charge Google Global Privacy Counsel Peter Fleischer* with
criminal charges of defamation and failure to exercise control over
personal data two years after Google posted a video depicting fellow
students harassing a student with Down syndrome.
Internet service providers, who are not responsible for posted content,
content providers like Google can be held liable for delivered
According to the International Association of Privacy
Professionals, the charges are thought to be the first criminal
sanction ever pursued against a privacy professional for his company's
You can see the original story from the International Association of Privacy Professionals (IAPP) here.
The implications of this are quite profound as you can imagine. CEO's and CFO's can be held accountable for crimes committed under their watch, so it's not too far of a stretch to see how privacy officers like Fleischer will have their feet held to the fire when subject to international law that takes a different perspective on the responsibilities associated with privacy than we might.
How many indictments have we had in the U.S. for the release of information in corporate breaches? The U.K.?
I'm not making a judgment call on this particular case because I certainly don't have all of the details, but it sets a very interseting precedent.
Imagine if you were a Chief Privacy Officer or perhaps a Chief Information Officer subject to this sort of scrutiny outside of the due care and stewardship requirements of the job in general. If something bad happens, generally the worst thing that might occur is you lose your job.
Imagine if you were personally liable for the posting of content from millions of users globally and could be sentenced to share a shower and a cell with an angry Italian man who can't get a decent cappuccino. I can't imagine what that would be like.
This may be the first time a privacy professional has been charged on behalf of the company he/she is employed by, but I will bet this won't be the last time it happens, either.
Besides the impact this can have on employees of providers of service, Google suggests it calls into focus larger issues of Net Neutrality:
late Feb. 2 stressing the company's sympathy for the victim and his family, but
insisted, "We feel that bringing this case to court is totally
wrong. It's akin to prosecuting mail service employees for hate speech letters
sent in the post.
What's more, seeking to hold neutral platforms liable
for content posted on them is a direct attack on a free, open Internet. We
will continue to vigorously defend our employees in this prosecution."
An interesting argument for sure and one I can see being debated vigorously. It's clear Google operates globally, so they must understand this sort of thing could happen. What about Facebook (sorry, Chris) or MySpace? What happens when Amazon is used to host data that is mishandled by someone. What then?
Imagine what fun it's going to be when we're all cloudified and the mash-up frenzy makes the cross-pollenization of information today look orderly; who's responsible then?
What do you think? Should privacy officers be liable for events like this? Should CSO's/CISO's and Compliance Managers be liable when a breach occurs exposing protected information? Think about that answer very carefully.
*You can find Peter Fleischer's blog here.