ELECTRONIC PRIVACY INFORMATION CENTER v. FEDERAL TRADE COMMISSION

Filing 2

MOTION for Temporary Restraining Order, MOTION for Preliminary Injunction by ELECTRONIC PRIVACY INFORMATION CENTER (Attachments: # 1 Exhibit 1, # 2 Exhibit 2, # 3 Exhibit 3, # 4 Exhibit 4, # 5 Exhibit 7, # 6 Exhibit 8, # 7 Exhibit 9, # 8 Exhibit 10, # 9 Exhibit 11, # 10 65.1 Statement, # 11 Text of Proposed Order for Preliminary Injunction, # 12 Text of Proposed Order for Temporary Restraining, # 13 Text of Proposed Order)(jf, )

Download PDF
UNITED STATES DISTRICT COURT FOR THE DISTRICT OF COLUMBIA _________________________________________________ ) ELECTRONIC PRIVACY INFORMATION CENTER ) ) Plaintiff, ) ) v. ) Civil Action No._______ ) THE FEDERAL TRADE COMMISSION ) ) Defendant. ) ________________________________________________ ) MOTION FOR TEMPORARY RESTRAINING ORDER AND PRELIMINARY INJUNCTION Pursuant to Fed. R. Civ. P. 65 and LCvR 65.1, Plaintiff the Electronic Privacy Information Center hereby moves the Court to issue a Temporary Restraining Order and Preliminary Injunction requiring Defendant the Federal Trade Commission to enforce the Commission’s consent order in In the Matter of Google Inc., a Corporation, FTC File No. 102 3136 (Consent Order issued Oct. 13, 2011). In support of this motion, plaintiff relies upon the attached memorandum of points and authorities.1 A proposed order is attached. ORAL ARGUMENT REQUESTED. Respectfully submitted, By: ________________________________ John Verdi, Esquire (DC Bar # 495764) Marc Rotenberg, Esquire (DC Bar # 422825) Khaliah Barnes* !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 1 Pursuant to LCvR 65.1(a), EPIC’s memorandum includes the declaration of Marc Rotenberg, EPIC President. The Rotenberg Declaration states that, prior to filing this motion, EPIC provided Defendant actual notice of the filing, including copies of all pleadings and papers. David Jacobs** Amie Stepanovich*** ELECTRONIC PRIVACY INFORMATION CENTER 1718 Connecticut Avenue, N.W. Suite 200 Washington, D.C. 20009 (202) 483-1140 (telephone) (202) 483-1248 (facsimile) Counsel for Plaintiff Dated: February 8, 2012 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! * Ms. Barnes is a member of the bar of the State of Maryland. ** Mr. Jacobs’ application to the bar of the State of New York is pending. *** Ms. Stepanovich is a member of the bar of the State of New York. Her application to the bar of the District of Columbia is pending. 2 UNITED STATES DISTRICT COURT FOR THE DISTRICT OF COLUMBIA _________________________________________________ ) ELECTRONIC PRIVACY INFORMATION CENTER ) ) Plaintiff, ) ) v. ) Civil Action No._______ ) THE FEDERAL TRADE COMMISSION ) ) Defendant. ) ________________________________________________ ) MEMORANDUM OF POINTS AND AUTHORITIES IN SUPPORT OF PLAINTIFF’S MOTION FOR TEMPORARY RESTRAINING ORDER AND PRELIMINARY INJUNCTION Plaintiff the Electronic Privacy Information Center (“EPIC”) submits the following memorandum of points and authorities in support of EPIC’s motion for a temporary restraining order and preliminary injunction.2 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 2 Pursuant to LCvR 65.1(a), prior to filing this motion, EPIC provided Defendant actual notice of the filing, including copies of all pleadings and papers. See generally Rotenberg Decl; see also Exhibits 1-6. TABLE OF CONTENTS TABLE OF CONTENTS.................................................................................................... ii TABLE FOR AUTHORITIES .......................................................................................... iii INTRODUCTION .............................................................................................................. 1 FACTUAL BACKGROUND............................................................................................. 1 I. Google Engaged in Unfair and Deceptive Trade Practices that Disclosed Consumers’ Personal Information Without Consent ...................................................... 1 II. EPIC Filed a Complaint with the FTC Detailing Google’s Unfair and Deceptive Trade Practices................................................................................................................ 2 III. The FTC Resolved EPIC’s Complaint by Entering Into a Consent Order with Google............................................................................................................................. 3 IV. Google Recently Announced Business Practices that Violate the Consent Order; the Practices will take Effect March 1, 2012 .................................................................. 5 IV. The FTC Has not Enforced the Consent Order ...................................................... 6 ARGUMENT...................................................................................................................... 7 I. Legal Standards......................................................................................................... 7 II. EPIC Is Entitled to a Temporary Restraining Order and a Preliminary Injunction Requiring the FTC to Enforce the Commission’s Consent Order .................................. 8 A. EPIC is Likely to Prevail on the Merits.............................................................. 8 B. Millions of Internet Users, Including EPIC, Will Face Irreparable Damage Absent Injunction...................................................................................................... 17 C. There is Little Possibility of Harm to Respondents if Relief is Granted ........... 20 D. There is a Strong Public Interest in Granting Petitioners’ Motion.................... 21 CONCLUSION................................................................................................................. 21 CERTIFICATE OF SERVICE ......................................................................................... 23 ii TABLE FOR AUTHORITIES Cases Amador County, Cal. v. Salazar, 640 F.3d 373, 383 (D.C. Cir. 2011)............................... 9 Baumann v. Dist. of Columbia, 655 F. Supp. 2d 1 (D.D.C. 2009) ..................................... 8 Carter, Fullerton & Hayes, LLC v. F.T.C., 637 F. Supp. 2d 1 (D.D.C. 2009)................... 9 Chaplaincy of Full Gospel Churches v. England, 454 F.3d 290 (D.C. Cir. 2006)..... 17, 20 Coalition for Parity, Inc. v. Sebelius, 709 F.Supp.2d 6, 7-8 (D.D.C. 2010)....................... 7 Cobell v. Norton, 391 F.3d 251 (D.C. Cir. 2004) ............................................................... 8 Consumer Fed’n of America v. FTC, 515 F.2d 367 (D.C. Cir. 1975) ................................ 7 FTC v. Mallett, No. 11-01664 CKK, 2011 WL 4852228 (D.D.C. Oct. 13, 2011) ..... 20, 21 FTC v. Mylan Laboratories, Inc., 62 F. Supp. 2d 25 (D.D.C. 1999) aff’d in part, rev’d in part sub nom. FTC v. Mylan Laboratories, Inc., 99 F. Supp. 2d 1 (D.D.C. 1999) ........ 9 Gonzales v. O Centro Espirita Beneficente Uniao Do Vegetal, 126 S. Ct. 1211 (2006).... 8 Hall v. Johnson, 599 F.Supp.2d 1 (D.D.C. 2009)............................................................... 7 Holloway v. Bristol-Myers Corp., 485 F.2d 986 (D.C. Cir. 1973) ................................... 10 In re Aiken County, 645 F.3d 428 (D.C. Cir. 2011).......................................................... 10 Krause Intern., Inc. v. Reed Elsevier, Inc., 866 F.Supp. 585 (D.D.C. 1994).................... 18 Nat'l Ass'n of Mortg. Brokers v. Bd. of Governors of Fed. Reserve Sys., 773 F. Supp. 2d 151 (D.D.C. 2011) ........................................................................................................ 18 National Wildlife Federation v. Burford, 835 F.2d 305, 319 (D.C. Cir. 1987) .................. 8 Norton v. S. Utah Wilderness Alliance, 542 U.S. 55 (2004)............................................... 9 Paschall v. Kansas City Star Co., 441 F. Supp. 349 (W.D. Mo. 1977)............................ 18 Raymen v. United Senior Ass'n, Inc., No. 05-486, 2005 WL 607916 (D.D.C. Mar. 16, 2005) ............................................................................................................................. 18 Sterling Commercial Credit-Michigan, LLC v. Phoenix Industries I, LLC, 762 F.Supp.2d 8, 13 (D.D.C. 2011) ........................................................................................................ 7 Statutes 15 U.S.C. § 45 (2011) ....................................................................................................... 18 15 U.S.C. § 45(a)(2) (2011) .......................................................................................... 9, 21 15 U.S.C. § 45(l) (2011) ................................................................................................. 6, 9 15 U.S.C. § 56(a)(2) (2011) .............................................................................................. 10 5 U.S.C. § 551 (13) (2011) ................................................................................................. 9 5 U.S.C. § 706(1) (2011) .................................................................................................... 9 Other Authorities Claire Davenport, EU regulators want Google to halt new privacy policy, Chicago Tribune (Feb. 3, 2012)................................................................................................................. 14 Complaint of the Elec. Privacy Info. Ctr., In the Matter of Google, Inc., FTC File No. 102 3136 (Feb. 16, 2010)................................................................................................... 2, 3 Complaint, In the Matter of Google Inc., FTC File No. 102 3136 (October 13, 2011). 1, 2, 13 Complaint, In the Matter of Google, Inc., FTC File No. 102 3136 (Mar. 30, 2011)........ 18 Decision and Order, In the Matter of Google, Inc., FTC File No. 102 3136 (Oct. 13, 2011) ...................................................................................................................... passim iii Google, One Policy, One Google Experience, https://www.google.com/intl/en/policies/ (last visited Feb. 6, 2012)........................................................................................ 19, 20 James Kanter, E.U. Presses Google to Delay Privacy Policy Changes, N.Y. TIMES, Feb. 3, 2012, at B3 .................................................................................................................... 14 Jennifer Valentino-DeVries, What Do Google’s Privacy Changes Mean for You?, WALL STREET JOURNAL (Jan. 25, 2012, 2:10 PM), http://blogs.wsj.com/digits/2012/01/25/what-do-googles-privacy-changes-mean-foryou/ ............................................................................................................................... 19 Press Release, FTC Charges Deceptive Privacy Practices in Google's Rollout of Its Buzz Social Network, Federal Trade Commission, Mar. 30, 2011 ................................... 4, 19 Preview: privacy policy, Google (2012), https://www.google.com/intl/en/policies/privacy/preview/....................................... 12, 19 Preview: Self Regulatory Frameworks, Google (2012), https://www.google.com/intl/en/policies/privacy/frameworks/....................................... 13 Safe Harbor, U.S. Dept. of Commerce, http://export.gov/safeharbor/ (last updated Mar. 22, 2011, 3:59 PM) .............................................................................................................. 13 Supplemental Complaint of the Elec. Privacy Info. Ctr., In the Matter of Google, Inc., FTC File No. 102 3136 (2011) ....................................................................................... 3 Updating our Privacy Policies and Terms of Service, The Google Blog (Jan. 24, 2012 1:30 PM)...................................................................................................................... 5, 11, 12 iv INTRODUCTION This action arises from Google, Inc.’s imminent violation of a consent order with the Federal Trade Commission (“FTC”). An October 13, 2011 consent order bars Google from misrepresenting the company’s privacy practices, requires the company to obtain users’ consent before disclosing personal data, and requires the company to develop and comply with a comprehensive privacy program. The FTC consent order arises from a complaint filed by EPIC with the Commission on February 6, 2010. Two weeks ago Google announced that it would change its terms of service for current users of Google services and consolidate users’ personal information across more than 60 Google services in clear violation of its prior commitments to the Federal Trade Commission. The change will become effective on March 1, 2012. The Federal Trade Commission has a non-discretionary obligation to enforce a final order. But the agency has thus far failed to take any action regarding this matter, placing the privacy interests of literally hundreds of millions Internet users at grave risk. EPIC brings this Administration Procedure Act suit to require the Commission to enforce the consent order. FACTUAL BACKGROUND I. Google Engaged in Unfair and Deceptive Trade Practices that Disclosed Consumers’ Personal Information Without Consent On Tuesday, February 9, 2010, Google attempted to launch a social networking service, Google Buzz. Complaint at 2, In the Matter of Google Inc., FTC File No. 102 3136 (October 13, 2011), available at http://www.ftc.gov/os/caselist/1023136/111024googlebuzzcmpt.pdf. As part of this attempt, Google took information that users provided for Google electronic mail service Gmail and used it to populate Buzz, a separate and discrete social network service. Id. Google transferred the data of the users of Gmail even in those circumstances where users purposefully 1 chose not to sign up for the social network services. Id. at 3. Furthermore, Google did not adequately communicate that, as a result of these action, Google would make public certain private information by default; options for controlling this information, as the Federal Trade Commission subsequently determined, were “confusing and difficult to find.” Id. at 3. With the attempted introduction of Buzz, Google disclosed personal information, such as email addresses, without consumers’ permission. Id. at 4. In some cases, Google’s disclosure made public lists of followers and people to follow that included abusive ex-husbands, clients of mental health professionals or attorneys, and others. Id. at 5. As the Federal Trade Commission subsequently determined, these practices were unfair and deceptive. Google’s terms of service stated that Google would use information given by Gmail users only for to provide email services. Id. Instead, Google used this information in Buzz. Id. Google also deceptively claimed that it would seek the consent of users before using their information for a purpose other than that for which it was collected. Id. at 6. Furthermore, Google misrepresented the ability of users to exercise control over their information. Id. at 6. Finally, Google misrepresented the extent of its compliance with the U.S.-EU Safe Harbor Framework by claiming that the company complied with the framework while violating the principles of Notice and Choice. Id. at 7-8. II. EPIC’s Initial Complaint with the Federal Trade Commission Gave Rise to the Subsequent Investigation and Final Consent Order with Google On February 16, 2010, within a week of the introduction of Buzz, EPIC filed a complaint with the Federal Trade Commission urging the Commission to investigate the launch of Google Buzz and to determine whether the company had engaged in unfair and deceptive trade practices, in violation of Section 5 of the FTC Act. Complaint of the Elec. Privacy Info. Ctr. at 13-15, In the Matter of Google, Inc., FTC File No. 102 3136 (Feb. 16, 2010), available at 2 https://epic.org/privacy/ftc/googlebuzz/GoogleBuzz_Complaint.pdf. Complainant EPIC explained that Google automatically enrolled Gmail users in Buzz, and subsequently disclosed users’ email contacts in violation of the terms of service. Id. at 4-5. There was no clear way for a user to opt out of Buzz or make information non-public. Id. at 5. Furthermore, Google violated Gmail’s privacy policy, which clearly stated that Google would only use contact lists and other related personal data to provide Gmail services. Supplemental Complaint of the Elec. Privacy Info. Ctr. at 2-3, In the Matter of Google, Inc., FTC File No. 102 3136 (2011), available athttps://epic.org/privacy/ftc/googlebuzz/Google_Buzz_Supp_Complaint.pdf. Finally, EPIC alleged that Google harmed users by violating their expectation of privacy in their emails, with particularly severe effects for professionals, such as lawyers, journalists, and healthcare providers, who promise confidentiality. EPIC’s complaint urged the FTC to “enjoin [Google’s] unfair and deceptive business practices and require Google to protect the privacy of Gmail users.” Complaint of the Elec. Privacy Info. Ctr., supra. Specifically, complainant EPIC urged that the FTC (1) compel Google to make Google Buzz a fully opt-in service for Gmail users; (2) compel Google to cease using Gmail users’ private address book contacts to compile social networking lists; (3) compel Google to give Google Buzz users more control over their information by allowing users to accept or reject followers from the outset; and (4) provide such other relief as the Commission found necessary and appropriate. Id. at 15-16. III. Subsequent to the filing of the Complaint by EPIC, the Federal Trade Commission Undertook an Investigation and Entered a Final Order Against Google On March 30, 2011, the FTC released a Complaint and announced a proposed Consent Order with Google. Exhibits 7-8. The Commission found that Google had launched Buzz through Gmail, and that “options for declining or leaving the social network were ineffective.” 3 Press Release, FTC Charges Deceptive Privacy Practices in Google's Rollout of Its Buzz Social Network, Federal Trade Commission, Mar. 30, 2011, http://www.ftc.gov/opa/2011/03/google.shtm. Furthermore, controls for limiting the disclosure of personal information were “confusing and difficult to find . . . .” Id. Google also “failed to disclose adequately that consumers’ frequent email contacts would become public by default.” Id. Finally, the FTC found that Google violated the U.S.-EU Safe Harbor Framework by “fail[ing] to give consumers notice and choice before using their information for a purpose different from that for which it was collected.” Id. In announcing the Consent Order, Jon Leibowitz, Chairman of the FTC, said, “when companies make privacy pledges, they need to honor them.” Id. The FTC acknowledged the significance of EPIC’s complaint in the agency’s action. “Google’s data practices in connection with its launch of Google Buzz were the subject of a complaint filed with the FTC by the Electronic Privacy Information Center shortly after the service was launched.” Id. The Federal Trade Commission opened the proposed Consent Order for public comment. The FTC issued the final Consent Order on October 13, 2011. Exhibit 9. The Commission vote approving the final settlement was 4-0. The Consent Order contains nine parts. Decision and Order, In the Matter of Google, Inc., FTC File No. 102 3136 (Oct. 13, 2011), available at http://www.ftc.gov/os/caselist/1023136/111024googlebuzzdo.pdf. Part I prohibits Google from misrepresenting (a) the extent to which it “maintains and protects the privacy and confidentiality” of personal information, and (b) the extent to which it complies with the U.S.EU Safe Harbor Framework. Id. at 3. Part II requires Google to obtain “express affirmative consent” before “any new or additional sharing by [Google] of the Google user’s identified information with any third party . . . .” Id. at 3-4. Part III requires Google to implement a 4 “comprehensive privacy program” that is designed to address privacy risks and protect the privacy and confidentiality of personal information. Id. at 4. Part IV requires Google to submit to independent, biennial privacy assessments, which are then to be provided to the FTC. Id. at 5. Finally, Parts V-IX require Google to make copies of certain privacy-related documents available to the FTC, to deliver the Consent Order to all officers and directors, to notify the FTC thirty days before any major change in corporate structure or status that might affect compliance, and to file a report with the FTC in 90 days describing compliance Google with the Agreement. Id. at 5-7. IV. Google Recently Announced Changes in Business Practices that Would Violate the Consent Order; the Changes will take Effect March 1, 2012 On January 24, 2012, Google announced that, effective March 1, the company will change its terms of service, and use the personal information obtained from user in ways inconsistent with the original collection. Exhibits 10-11. Rather than keeping personal information about a user of a given Google service separate from information gathered from other Google services, Google will consolidate user data from across its services and create a single merged profile for each user. Users will no longer be able to keep the personal information they provided to use the Google email service for simply that service; Google will be able to combine the user information provided for email with other Google services, including the Google social network service. Google stated: “Our new Privacy Policy makes clear that, if you’re signed in, we may combine information you've provided from one service with information from other services. In short, we’ll treat you as a single user across all our products ….” Updating our Privacy Policies and Terms of Service, The Google Blog (Jan. 24, 2012 1:30 PM), http://googleblog.blogspot.com/2012/01/updating-our-privacy-policies-and-terms.html. 5 These changes violate the Consent Order between Google and the FTC. As set forth below, Google violated Part I(a) of the Consent Order by misrepresenting the extent to which it maintains and protects the privacy and confidentiality of covered information. Google also violated Part I(b) of the Consent Order by misrepresenting the extent to which it complies with the U.S.-EU Safe Harbor Framework. Google violated Part II of the Consent Order by failing to obtain affirmative consent from users prior to sharing their information with third parties. Google violated Part III of the Consent Order by failing to comply with the requirements of a comprehensive privacy program. IV. The FTC Has not Enforced the Consent Order To date, the FTC has failed to take any action with respect to Google’s imminent changes in privacy practices. Critically, the Commission has not filed a lawsuit pursuant to, the Federal Trade Commission Act which states that the FTC “shall” obtain injunctive relief and recover civil penalties against companies that violate consent orders. 15 U.S.C. § 45(l) (2011) (emphasis added). 6 ARGUMENT EPIC is entitled to a temporary restraining order and a preliminary injunction compelling the FTC to enforce the Consent Order. EPIC is likely to prevail on the merits, and certain to suffer irreparable injury if this motion is not granted. The Court must act now to prevent irreparable injury to the EPIC and the public. The prospect of harm to the FTC is low if the motion is granted, and the public interest strongly favors EPIC’s motion. EPIC’s lawsuit asks this Court to prevent a danger recognized by the D.C. Circuit and first identified during the debate over the creation of the Federal Trade Commission – the hazard that consumers will obtain relief under a FTC order, only to be left without recourse if the Commission fails to enforce its order. Consumer Federation of America v. Federal Trade Commission, 515 F.2d 367 (D.C. Cir. 1975), identifies EPIC’s key concern. Quoting Senator Walsh from the original debate in 1914 over the creation of the Federal Trade Commission: . . . I feel that we ought carefully to guard the rights of the party making the complaint lest at some time or other we should have a commission that has no interest in the maintenance of the law; a commission not desirous of enforcing it against the great combinations, not desirous of enforcing it against those who may sustain friendly relations with members of the commission or those influential with it. Id. at 371, n. 12. I. Legal Standards EPIC seeks a temporary restraining order and a preliminary injunction. “The same standard applies to both temporary restraining orders and to preliminary injunctions.” Hall v. Johnson, 599 F.Supp.2d 1, 6 n. 2 (D.D.C. 2009); accord Sterling Commercial Credit-Michigan, LLC v. Phoenix Industries I, LLC, 762 F.Supp.2d 8 (D.D.C. 2011); Coalition for Parity, Inc. v. Sebelius, 709 F.Supp.2d 6 (D.D.C. 2010). 7 In order to obtain injunctive relief, “a moving party must show: (1) a substantial likelihood of success on the merits, (2) that it would suffer irreparable injury if the injunction were not granted, (3) that an injunction would not substantially injure other interested parties, and (4) that the public interest would be furthered by the injunction.” Baumann v. Dist. of Columbia, 655 F. Supp. 2d 1, 6 (D.D.C. 2009) (citing Chaplaincy of Full Gospel Churches v. England, 454 F.3d 290, 297 (D.C. Cir. 2006)); accord National Wildlife Federation v. Burford, 835 F.2d 305 (D.C. Cir. 1987); Cobell v. Norton, 391 F.3d 251, 258 (D.C. Cir. 2004). When agency action is involved, the Court should balance the actual irreparable harm to the plaintiff and the potential harm to the government. Gonzales v. O Centro Espirita Beneficente Uniao Do Vegetal, 126 S. Ct. 1211, 1219 (2006). II. EPIC Is Entitled to a Temporary Restraining Order and a Preliminary Injunction Requiring the FTC to Enforce the Commission’s Consent Order A. EPIC is Likely to Prevail on the Merits EPIC’s primary claim in this lawsuit is straightforward: the FTC investigated Google’s conduct in launching Google Buzz, found the company’s conduct to be unfair and deceptive, and entered into a consent order with Google to ensure that similar conduct would not reoccur. Google’s recent announcement that the company intends to consolidate users’ personal information without individuals’ consent violates the consent order and threatens to harm consumers. The FTC is required to enforce the consent order. But the Commission has failed to due so. 8 1. The FTC has Unlawfully Withheld Agency Action by Failing to Enforce the Consent Order EPIC may “compel agency action unlawfully withheld” pursuant to the Administrative Procedure Act. 5 U.S.C. § 706(1) (2011). “Agency action unlawfully withheld” is a defined as “discrete agency action that [the agency] is required to take.” Norton v. S. Utah Wilderness Alliance, 542 U.S. 55, 64 (2004) (emphasis in original). Agency action is the “whole or part of an agency rule order, license, sanction, relief, or the equivalent or denial thereof, or failure to act.” 5 U.S.C. § 551 (13) (2011). Agency action, including a “failure to act” is subject to judicial review. Amador County, Cal. v. Salazar, 640 F.3d 373, 383 (D.C. Cir. 2011).3 The FTC is required to “prevent persons, partnerships, or corporations . . . from using unfair methods of competition in or affecting commerce and unfair or deceptive acts or practices in or affecting commerce.” 15 U.S.C. § 45(a)(2) (2011). Accord Carter, Fullerton & Hayes, LLC v. F.T.C., 637 F. Supp. 2d 1, 9 (D.D.C. 2009); FTC v. Mylan Laboratories, Inc., 62 F. Supp. 2d 25, 32 (D.D.C. 1999) aff’d in part, rev’d in part sub nom. FTC v. Mylan Laboratories, Inc., 99 F. Supp. 2d 1 (D.D.C. 1999). To that end, the FTC enters into consent orders with such “persons, partnerships, or corporations” to prevent unfair and deceptive trade practices. If such an order is violated, the party “shall forfeit a penalty to the United States” and be subject to the exclusive enforcement power of the FTC. See 15 U.S.C. §45(l) (emphasis added); 15 U.S.C. § !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 3 This court has previously held that a plaintiff cannot maintain “private actions … asserted under the Federal Trade Commission Act.” Holloway v. Bristol-Myers Corp., 485 F.2d 986, 987 (D.C. Cir. 1973). However, this does not bar adjudication of claims against the FTC under the Administrative Procedure Act 5 U.S.C. § 706 for agency action unlawfully withheld. See Amador County, Cal. v. Salazar, 640 F.3d 373, 380 (D.C. Cir. 2011) (citing Bowen v. Mich. Acad. of Family Physicians, 476 U.S. 667, 671-72 (1986)). There is a “the strong presumption that Congress intends judicial review of administrative action.” Bowen, 476 U.S. at 670. 9 56(a)(2) (2011); Holloway v. Bristol-Myers Corp., 485 F.2d 986, 994 (D.C. Cir. 1973) (citing United States v. Saint Regis Paper Co., 355 F.2d 688 (2d Cir. 1966)). This court has not had occasion to consider whether the FTC is “required to take” enforcement action when its consent orders are violated, but it is clear from the statute that the Commission is required to enforce its orders. The FTC has exclusive authority over the enforcement of its consent orders. See id. The enforcement provision of the FTC Act, Section 5(l), makes clear that the agency action is not discretionary; a violating party “shall forfeit” a penalty and be subject to an enforcement action. The FTC’s failure to act on Google’s violation of the FTC’s Consent Order—which includes Google misrepresenting its business practices—contravenes the FTC’s nondiscretionary duty to prevent corporations from using “deceptive acts or practices in or affecting commerce.” The violation of a consent order is a discrete act, as is the agency’s decision to enforce or not enforce the order. Accordingly, the FTC has failed to perform “a discrete agency action” by failing to enforce its final order. The FTC is charged with performing a “discrete agency action.” A “discrete agency action” is a “final agency action” under the APA. In re Aiken County, 645 F.3d 428, 437 (D.C. Cir. 2011) (quoting Cobell v. Kempthorne, 455 F.3d 301, 307 (D.C.Cir. 2006)). Here the FTC unlawfully withheld such an action -- namely commencing a civil action for violation of its consent order, or authorizing the Attorney General to do so—and has failed to perform by not enforcing its October 13, 2011 consent order against Google. 1. In Violation of Count 1(a), Google has Misrepresented the Extent to Which it Maintains and Protects the Privacy and Confidentiality of Covered Information The Consent Order prohibits Google from misrepresenting “in any manner, either expressly or by implication” protections on the privacy and confidentiality of “covered information,” 10 including “the purposes for which [Google] collects and uses covered information,” and “the extent to which consumers may exercise control over the collection, use, or disclosure of covered information.” Decision and Order, supra at 3. “Covered information” includes, but is not limited to (a) first and last name; (b) home or other physical address, including street name and city or town; (c) email address or other online contact information, such as a user identifier or screen name; (d) persistent identifier, such as IP address; (e) telephone number, including home telephone number and mobile telephone number; (f) list of contacts; (g) physical location; or any other information from or about an individual consumer that is combined with (a) through (g) above. Id. at 3. Google’s announcements fail to either disclose or adequately explain that user data will be consolidated for the purposes of benefiting advertisers through improved targeting of users. The email that Google sent to users notifying them of its changes in business practices completely fails to mention targeted advertising. Instead, the email only presents the changes as features that increase functionality for users. The first lines state that Google’s new privacy policy is “shorter and easier to read,” and that it “reflect[s] our desire to create one beautifully simple and intuitive experience across Google.” The email goes on to state that Google’s changes will allow Google to tailor its services for users and will make it easier for users to share, collaborate, and work across Google. The email also states that “protecting your privacy hasn’t changed.” Nor does Google’s initial blog post adequately mention targeted advertising. Google’s blog post emphasizes only the increased functionality for users. See Updating our privacy policies and terms of service, The Google Blog (Jan. 24, 2012 1:30 PM), http://googleblog.blogspot.com/2012/01/updating-our-privacy-policies-and-terms.html. Indeed, the point of the changes, according to Google, appears to be “integrat[ing] our different products more closely so that we can create a beautifully simple, intuitive user experience across Google. Id. 11 Overall, the text of the blog post contains 746 words. Only 2 sentences, representing 26 total words, mention advertisements. See id. Google’s privacy policy also fails to adequately explain the way in which users’ consolidated data will be used for targeted advertising. Discussion of advertising in the privacy policy is either not specific (“more relevant . . . ads”) or confusing (“We will not combine DoubleClick cookie information with personally identifiable information unless we have your optin consent.”). Preview: privacy policy, Google (2012), https://www.google.com/intl/en/policies/privacy/preview/. Thus, Google’s email notification, initial blog post, and privacy policy “misrepresent . . . the purposes for which it collects and uses covered information” by failing to either disclose or adequately explain that user data will be consolidated for the purposes of benefiting advertisers through improved targeting of users. Google’s announcements also fail to disclose that users can limit the aggregation of their personal information. For example, users can (1) avoid signing in to their user accounts or (2) create separate user accounts for separate Google services. Google’s email does not indicate that consumers may exercise control over their personal information at all, much less that they may either avoid signing in to their user accounts or create separate user accounts for separate Google services. Google’s initial blog also does not state that users may limit the aggregation of their personal data by using either of these techniques. See Updating our privacy policies and terms of service, The Google Blog (Jan. 24, 2012 1:30 PM), http://googleblog.blogspot.com/2012/01/updating-our-privacy-policies-and-terms.html. Thus, Google’s email notification, initial blog post, and privacy policy “misrepresent . . . the extent to which consumers may exercise control over the collection, use, or disclosure of covered 12 information” by failing to mention important ways that users can limit the aggregation of their personal information. 2. In Violation of Count I(b) of the Consent Order, Google has Misrepresented the Extent to Which it Complies with the U.S.-E.U. Safe Harbor The Safe Harbor Framework is a voluntary framework that allows U.S. companies to transfer personal data from the EU to the U.S. provided that the companies self-certify to the U.S. Department of Commerce that they meet the EU requirements for privacy and protection of personal data. Complaint, supra at 6. The Safe Harbor Framework recognizes that while “the United States and the EU share the goal of enhancing privacy protection for their citizens, the United States takes a different approach to privacy from that taken by the EU.” See Safe Harbor, U.S. Dept. of Commerce, http://export.gov/safeharbor/ (last updated Mar. 22, 2011, 3:59 PM). Compliance with the Safe Harbor requirements is a critical representation that allows US firms to collect data on European consumers that would otherwise be subject to the legal obligations European Union Data Protection Directive 95/46/ec. The Consent Order prohibits Google from “misrepresent[ing] in any manner, either expressly or by implication: the extent to which respondent is a member of, adheres to, complies with, is certified by, is endorsed by, or otherwise participates in any privacy, security, or any other compliance program sponsored by the government or any other entity, including, but not limited to, the U.S.-EU Safe Harbor Framework. Decision and Order, supra at 3. Google’s new privacy policy represents that it complies with the U.S.-EU Safe Harbor Framework. See Preview: Self Regulatory Frameworks, Google (2012), https://www.google.com/intl/en/policies/privacy/frameworks/. European Union officials, having received the announcement of Google’s proposed changes to its business practices, have asked the company to suspend its plans pending a full review to 13 determine whether Google’s actions comply with its legal obligation under the EU Data Protection Directive. See Claire Davenport, EU regulators want Google to halt new privacy policy, Chicago Tribune (Feb. 3, 2012), http://www.chicagotribune.com/business/sns-rt-us-eu-googletre8120og20120203,0,2362697.story. Viviane Reding, the Justice Minister for the European Union, endorsed this action and called on European authorities “to ensure that E.U. law is fully complied with in Google’s new privacy policy.” James Kanter, E.U. Presses Google to Delay Privacy Policy Changes, N.Y. TIMES, Feb. 3, 2012, at B3. Thus, Google has misrepresented “the extent to which [it] . . . adheres to, complies with, is certified by, is endorsed by, or otherwise participates in . . . the U.S.-EU Safe Harbor Framework.” 3. In Violation of Count II of the Consent Order, Google has Failed to Obtain Affirmative Consent from Users Prior to Google’s Changes in Business Practices The Consent Order requires that Google “[o]btain express affirmative consent from the Google user,” before “any new or additional sharing by [Google] of the Google user’s identified information with any third party, that: 1) is a change from stated sharing practices in effect at the time [Google] collected such information, and 2) results from any change, addition, or enhancement to a product or service by [Google] . . . .” Decision and Order, supra at 3-4. The Consent Order defines “third party” as: any individual or entity other than: (1) respondent; (2) a service provider of respondent that: (i) uses or receives covered information collected by or on behalf of respondent for and at the direction of the respondent and no other individual or entity, (ii) does not disclose the data, or any individually identifiable information derived from such data, to any individual or entity other than respondent, and (iii) does not use the data for any other purpose; or (3) any entity that uses covered information only as reasonably necessary: (i) to comply with applicable law, regulation, or legal process, (ii) to enforce respondent’s terms of use, or (iii) to detect, prevent, or mitigate fraud or security vulnerabilities. Id. at 3. All individuals or entities qualify as “third parties” under the consent order, unless those 14 individuals or entities are Google or subsidiaries of Google, are service providers of Google, or use covered information only as “reasonable necessary” to comply with an “applicable law, regulation, or legal process,” to enforce Google’s terms of use, or to “detect, prevent or mitigate fraud or security vulnerabilities.” Id. Advertisers are not Google nor are they “service provider[s] of [Google],” and advertisers use covered information to better direct advertising and to influence sales. Advertisers do not fit into any of these categories, and thus qualify as “third parties” under the Consent Order. Google’s announced changes to business practices will make it possible for advertisers to gain access to personal information which was previously unavailable to them. Google ads are targeted to individual users based on information Google gathers about individual users in a particular related to a particular service, such as search terms that a user provides for Google Search. Google users who click on these targeted, Google-provided ads are linked to those advertisers’ webpages granting advertisers access to the user’s IP address. In some cases, advertisers can identify the keyword used for targeting the ads. Currently, Google does not “combine information within an account for two services: Web History, which is search history for signed-in users, and YouTube.” Letter regarding updated privacy policy from Google, Inc., to Rep. Cliff Stearns et al. (Jan. 30, 2012), https://docs.google.com/viewer?a=v&pid=explorer&chrome=true&srcid=0BwxyRPFduTN2NTZh NDlkZDgtMmM3MC00Yjc0LTg4YTMtYTM3NDkxZTE2OWRi&hl=en_US. Therefore, the information used to target ads to users does not include YouTube or Google search histories. See id. Under Google’s changes to business practices, the company will “include your use of signed-in search history and YouTube in your use of all Google services.” Id. Therefore, advertisers’ keywords can target YouTube and Google search histories, expanding the pool from which 15 advertisers can obtain information about users. Advertisers can often access this additional information, in the form of the targeted keywords or searched-for phrase, when users click on the targeted ads. Thus, Google will share new or additional information with third-party advertisers without first obtaining “express affirmative consent” from Google users. This change “is a change from stated sharing practices in effect at the time [Google] collected such information,” and results from a “change, addition, or enhancement to a product or service by [Google].” Google has already collected significant amounts of personal information; this change will consolidate this information together into a single account. The change to business practices results from a change to the privacy policies and terms of service for most Google products. Under Google’s announced changes to business practices, Google will share new or additional information with third-party advertisers. Google does this without first obtaining “express affirmative consent” from Google users. Thus, Google has violated Count II of the Consent Order. 4. In Violation of Count III of the Consent Order, Google has Failed to Comply with the Requirements of a Comprehensive Privacy Program The Consent Order requires that Google “establish and implement, and thereafter maintain, a comprehensive privacy program” that is designed to: (1) address privacy risks related to the development and management of new and existing products and services for consumers, and (2) protect the privacy and confidentiality of covered information. Such program, the content and implementation of which must be documented in writing, shall contain privacy controls and procedures appropriate to respondent’s size and complexity, the nature and scope of respondent’s activities, and the sensitivity of the covered information . . . . Decision and Order, supra at 4. As described above, Google has announced changes in business practices that (1) create new privacy and security risks for users of Google services and (2) fail to protect the privacy and 16 confidentiality of covered information Google has misrepresented the extent to which it protects the privacy and security of users’ personal information. Google has also failed to obtain the affirmative express consent of users before engaging in new or additional sharing of users’ information with third parties. At a minimum, a comprehensive privacy program required by the consent order, which arose from the company’s attempt to combine user data from two discrete services, cannot permit the company to now engage in the same prohibited practice. Thus, Google’s actions violate a comprehensive privacy program that is “reasonably designed to . . . address privacy risks related to the development and management of new and existing products and services” and which “protect[s] the privacy and confidentiality of covered information.” B. Millions of Internet Users, Including EPIC, Will Face Irreparable Damage Absent Injunction The FTC’s failure to prevent the implementation of Google’s new Privacy Policy will cause irreparable harm to all Google users, including EPIC.4 “Irreparable injury” must be “both certain and great; it must be actual and not theoretical.” Chaplaincy of Full Gospel Churches v. England, 454 F.3d 290, 297 (D.C. Cir. 2006) (quoting Wisc. Gas Co. v. FERC, 758 F.2d 669, 674 (D.C. Cir.1985) (per curiam)). The moving party must show a “clear and present need for equitable relief,” that is “beyond remediation.” Nat'l Ass'n of Mortg. Brokers v. Bd. of Governors of Fed. Reserve Sys., 773 F. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 4 Google recently announced during its quarterly “earnings call” that its Gmail service has 350 million users. Harrison Weber, Gmail Closes in on Hotmail with 350 MM Active Users, TheNextWeb, Jan. 19, 2012, available at http://thenextweb.com/google/2012/01/19/gmailcloses-in-on-hotmail-with-350-mm-active-users/. According to Google’s quarterly earnings statement, more than 46% of Google revenue is generated in the United States. Google Inc., Annual Report (Form 10-K), at 8 (Jan. 26, 2012). According to recent 2010 comScore, J.P. Morgan estimates, 81% of US Internet users access Google services. Peter Kafka, Why is Facebook Worth $50 Billion? Check Out These Charts, All Things D (Jan. 3, 2011), available at http://allthingsd.com/20110103/why-is-facebook-worth-50-billion-check-out-these-charts/. 17 Supp. 2d 151, 179-80 (D.D.C. 2011). When a plaintiff faces “certain and imminent” injury with no way to recover the loss, it weighs in favor of finding “irreparable injury.” Id. Irreparable injury may be presumed in an unfair competition action. See Krause Intern., Inc. v. Reed Elsevier, Inc., 866 F.Supp. 585, 587 (D.D.C. 1994) (“trademark infringement and unfair competition are, by their very nature, activities that cause irreparable harm.”) (quoting Sears, Roebuck & Co. v. Sears Financial Network, 576 F.Supp. 857, 864 (D.D.C. 1983); See also, Paschall v. Kansas City Star Co., 441 F. Supp. 349, 359 (W.D. Mo. 1977) (citing Foremost International Tours, Inc. v. Qantas Airways, Ltd., 379 F.Supp. 88, 97 (D.Hawaii 1974), aff'd, 525 F.2d 281 (9th Cir. 1975)). Furthermore, it is well established that injunctive relief is appropriate to prevent harm to privacy interests such as misappropriation. See Raymen v. United Senior Ass'n, Inc., No. 05-486, 2005 WL 607916 at *4 (D.D.C. Mar. 16, 2005) (citing Factors Etc., Inc. v. Pro Arts., Inc., 579 F.2d 215, 220 (2d Cir.1978); Ryan v. Volpone Stamp Co., 107 F.Supp.2d 369, 404 (S.D.N.Y.2000); Ali v. Playgirl, Inc., 447 F.Supp. 723, 729 (S.D.N.Y.1978)). Cases in which injunctive relief has been sought to “protect privacy interests” have held that “proof of damages or unjust enrichment may be extremely difficult,” and thus injunctive relief is often appropriate. Id. (citing Ali, 447 F.Supp. at 729). In February 2010, EPIC filed a complaint with the FTC alleging that Google had engaged in unfair and deceptive trade practices in violation of the FTC Act, 15 U.S.C. § 45 (2011). Based directly on EPIC’s complaint, the FTC issued a complaint against Google on March 30, 2011, alleging unfair and deceptive business practices related to Google Buzz and Gmail that involved using customer information for purposes other than those to which the user explicitly agreed. See Complaint, In the Matter of Google, Inc., FTC File No. 102 3136 (FTC, Mar. 30, 2011). The FTC stated that EPIC’s complaint instigated the investigation of Google. Press Release, Federal 18 Trade Commission, FTC Charges Deceptive Privacy Practices in Google’s Rollout of its Buzz Social Network (Mar. 30, 2011), available at http://www.ftc.gov/opa/2011/03/google.shtm. On October 31, 2011, the FTC and Google finalized the Consent Order based on the FTC Complaint that requires, inter alia, Google to establish a comprehensive privacy program and to refrain from misrepresenting company practices. Decision and Order, supra at 3-5. On March 1, 2012, Google will change its terms of service and privacy policy in order to authorize new business practices. This change will impact all Google users, including EPIC, which maintains a Google account under the user name “EPICprivacy.” EPIC staff members and board members maintain personal Google accounts. Google has described the change as creating “one beautifully simple and intuitive experience.” Google, One Policy, One Google Experience, https://www.google.com/intl/en/policies/ (last visited Feb. 6, 2012) (“Google Privacy Overview”). Google asserts that “protecting your privacy hasn’t changed.” Id. However, that statement is clearly false, by Google’s own admission, and in clear contravention of the consent order. Google's proposed changes involve taking user information from all Google services, which is clearly prohibited under the current terms of services. See Preview: Privacy Policy, Google, http://www.google.com/intl/en/policies/privacy/preview/ (last visited Feb. 6, 2012); see also Jennifer Valentino-DeVries, What Do Google’s Privacy Changes Mean for You?, WALL STREET JOURNAL (Jan. 25, 2012, 2:10 PM), http://blogs.wsj.com/digits/2012/01/25/what-dogoogles-privacy-changes-mean-for-you/. Indeed, these changes in the current terms of services are necessary because otherwise the company could not engage in the change in business practices it intends to pursue. These changes in Google's business practices, which will harm users’ privacy, were misrepresented in 19 Google's notice to customers, and Google failed to obtain meaningful consent for these changes. See Google Privacy Overview. This imminent change in Google’s business practices threatens the same customer interests that the FTC’s Consent Decree sought to protect. If the FTC does not act to prevent the change, all Google users, including EPIC, face an imminent harm that is both certain and great. See Chaplaincy of Full Gospel Churches, 454 F.3d at 297. As the FTC made clear in the Commission’s Complaint and Consent Order, Google’s use of customer information without meaningful consent and its misrepresentations about such use are unfair and deceptive trade practices. The consolidation of customer information across Google services is a clear misappropriation of customer information. Google’s new business practices violate the terms of the Consent Order, and all the harms that gave rise to the original FTC complaint will re-occur if these changes go into effect. The FTC is directly responsible for the harm faced by EPIC and all users of Google services. Unless the FTC acts to prevent Google’s change in Privacy Policy, users’ personal information will be misappropriated, combined, and disclosed by Google in clear contravention of the consent order. The FTC has the authority and the obligation to enforce the consent order pursuant to the Federal Trade Commission Act. Users have no practical way to do so. C. There is Little Possibility of Harm to Respondents if Relief is Granted In order to sustain a motion for temporary injunctive relief, a moving party must show that the injunction “would not substantially injure other interested parties.” FTC v. Mallett, No. 11-01664 CKK, 2011 WL 4852228, *3 (D.D.C. Oct. 13, 2011). In this case it is clear that the FTC will suffer no cognizable injury from the enforcement of its consent order. If this court 20 provides the injunctive relief requested, the Commission will merely be required to do what is clearly in its interest: enforcing its consent order to prevent unfair and deceptive trade practices. The Commission has argued successfully that “[t]he public interest in ensuring the enforcement of federal consumer protection laws is strong.” Id. at *6. The Commission is obligated to promote the public interest and to prevent corporations “from using unfair methods of competition.” 15 U.S.C. § 45(a)(2). To this end, the Commission conducts investigations and takes action when it identifies unfair and deceptive trade practices. The Commission can not suffer a cognizable harm if it is made to enforce its own consent order, because it has no legitimate interest in failing to enforce its own order.5 D. There is a Strong Public Interest in Granting Petitioners’ Motion It is well established that there is a strong public interest in favor of the enforcement of public laws and regulations. F.T.C. v. Whole Foods Mkt., Inc., 548 F.3d 1028, 1035 (D.C. Cir. 2008) (recognizing “the public interest in effective enforcement of the antitrust laws.”); F.T.C. v. Exxon Corp., 636 F.2d 1336, 1343 (D.C. Cir. 1980). Millions of Google users will benefit from enforcement of the consent order. Users will retain control over their personal information and will not be subjected to unfair and deceptive business practices. Accordingly, the public interest, like the other injunctive factors, strongly favors the granting of a injunctive relief compelling the FTC to enforce the 2011 Consent Order. CONCLUSION For the reasons set forth above, EPIC respectfully requests that the Court issue a temporary restraining order and preliminary injunction compelling the FTC to enforce the !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 5 Google is not a party to this lawsuit. Insofar as the company is an “interested party,” EPIC’s requested injunctive relief will not harm Google’s interests. Just as the FTC does not have a legitimate interest in a violation of the consent order, Google cannot have a cognizable legal interest in acting unlawfully. EPIC’s sole requested relief is enforcement of the consent order. 21 consent order in In the Matter of Google Inc., a Corporation, FTC File No. 102 3136 (Oct. 13, 2011). A proposed order is attached. Respectfully submitted, By: ________________________________ John Verdi, Esquire (DC Bar # 495764) Marc Rotenberg, Esquire (DC Bar # 422825) ELECTRONIC PRIVACY INFORMATION CENTER 1718 Connecticut Avenue, N.W. Suite 200 Washington, D.C. 20009 (202) 483-1140 (telephone) (202) 483-1248 (facsimile) Dated: February 8, 2012 22 CERTIFICATE OF SERVICE The undersigned counsel certifies that on the 8th day of February, 2012, he caused one copy each of the foregoing MOTION FOR TEMPORARY RESTRAINING ORDER AND PRELIMINARY INJUNCTION, including memorandum in support and attachments, to be served by electronic mail, facsimile, and overnight mail on the following: Willard K. Tom General Counsel Federal Trade Commission 600 Pennsylvania Avenue, N.W Washington, D.C. 20580 wtom@ftc.gov fax: (202) 326-2477 Chairman Jon Leibowitz Federal Trade Commission 600 Pennsylvania Avenue, N.W Washington, D.C. 20580 jleibowitz@ftc.gov fax: (202) 326-3442 Commissioner J. Thomas Rosch Federal Trade Commission 600 Pennsylvania Avenue, N.W Washington, D.C. 20580 trosch@ftc.gov fax: (202) 326-3446 Commissioner Edith Ramirez Federal Trade Commission 600 Pennsylvania Avenue, N.W Washington, D.C. 20580 eramirez@ftc.gov fax: (202) 326-2396 Commissioner Julie Brill Federal Trade Commission 600 Pennsylvania Avenue, N.W Washington, D.C. 20580 jbrill@ftc.gov 23 fax: (202) 326-2441 __________________ JOHN VERDI MARC ROTENBERG Electronic Privacy Information Center 1718 Connecticut Ave. NW Suite 200 Washington, DC 20009 (202) 483-1140 Counsel for Plaintiff 24