Google, Microsoft and the battle for regulators' trust

Out-Law News | 18 Jun 2014 | 9:50 am | 6 min. read

John Salmon’s Financial Services blog

The Pinsent Masons financial services sector team bring you insight and analysis on what really matters in the world of financial services.  

Regulated businesses must maintain good relations with regulators and that means choosing a technology partner that understands how important that is. Finding a technology partner which can help innovative ideas to overcome regulatory hurdles should be high on the agenda for CIOs and boards.

To move forward with innovation, firms must work with and not against regulators. Martin Wheatley, FCA chief executive suggested as much last week when he spoke at a Lansons conference. He also said that "the FCA is working closer than ever before with financial service firms who are developing innovative approaches to service".

So when leading cloud providers such as Google and Microsoft take very different approaches to regulators, at times antagonising them, financial services firms should be paying close attention. This isn't just about Google or Microsoft's business, but about their customers' business too.

Google and the data protection regulators

The approach taken by Google towards regulators is an interesting one. Google is looking to develop its reputation as a trusted provider of B2B cloud products through its Cloud Platform. But again and again we see interactions between Google and regulators that are less than collaborative.

Back in 2012 Google’s decision to consolidate most of its privacy policies for separate services into one generalised policy for all services raised concerns among data protection regulators across Europe and elsewhere. Acting on this concern the chairman of the Article 29 Working Party wrote to Google requesting that it not move ahead with its plans to consolidate its privacy policies until the European regulators had time to analyse the privacy implications of doing so. The regulators were not asking for action, but simply more time.

"We call for a pause in the interests of ensuring that there can be no misunderstanding about Google's commitments to information rights of their users and EU citizens, until we have completed our analysis", the chairman said in his letter.  

Later that month CNIL, the French data protection regulator, expressed frustration at Google's handling of its relations with the regulators. In a letter to Google it said: "Contrary to public statements by Google representatives suggesting that data protection authorities across the EU had been 'extensively-briefed', not all authorities were informed, and those that were informed only heard about the changes a few days before the announcement. They saw the contents of the new privacy policy at best a few hours before its public release, without any opportunity to provide any constructive feedback."

Google and competition law authorities

Google’s responses to regulators on anti-competitive conduct issues provide further examples of what seems to be a combative approach towards regulators. For three years the European Commission investigated whether or not Google unfairly gives preference to its own services in Google Search over those of other companies. The Commission has also been concerned with Google's use of original content such as user reviews without authorisation; exclusivity arrangements around advertising through AdWords, and restrictions on the use of advertising campaigns used in connection with AdWords for other purposes.

In May 2012 Joaquín Almunia, at the time vice president of the European Commission, wrote to Google requesting that these matters be resolved quickly. Timing was important: “I believe that these fast-moving markets would particularly benefit from a quick resolution of the competition issues identified”, he said in a speech. “Restoring competition swiftly to the benefit of users at an early stage is always preferable to lengthy proceedings.”

Almunia offered “Google the possibility to come up in a matter of weeks” with proposals of remedies to address the Commission's concerns. However, it took until the beginning of 2014 for a tentative agreement to be reached between the Commission and Google, the provisions of which remain subject to much criticism.

Google has also let claims of anti-competitive behaviour advance to the investigation stage in a number of jurisdictions. At the end of last year it filed an annual report with US regulator SEC which said: “The Comision Nacional de Defensa de la Competencia in Argentina, the Competition Commission of India, the Taiwan Fair Trade Commission, Brazil's Council for Economic Defense and the Canadian Competition Bureau have also opened investigations into certain of our business practices”, according to reports.

In one of its most recent SEC filings in April 2014, Google acknowledged that "We are regularly subject to claims, suits, government investigations, and other proceedings involving competition and antitrust (such as the pending investigations by the EC), intellectual property, privacy, consumer protection, tax, labor and employment, commercial disputes, content generated by our users, goods and services offered by advertisers or publishers using our platforms, and other matters."

It has been reported that the UK's Financial Conduct Authority is focussing attention on Google's price comparison services which compare car and travel insurance, credit cards, mortgages and bank accounts in terms of anti-competitive conduct.

Microsoft and the regulators 

In the last few years Microsoft, on the other hand, has taken a more co-operative approach at least on the face of it. Like Google, it is building its cloud business, in Microsoft's case through Azure, Intune, Office 365 and other products. There is no doubt that over the years Microsoft has had strained relationships with regulators in a number of jurisdictions. But as far as we are aware, for some time now, Microsoft has been careful to avoid being in an open argument with a regulator, preferring to work with regulators.

Examples of Microsoft's more collaborative approach to regulator engagement include 'agreements' it has reached with various regulators. Just last month it was widely reported that Microsoft had received 'approval' from EU regulators for its approach towards privacy in the cloud, which it said was "enshrined" in its contracts. EU data protection body the Article 29 Working Party went so far as to say "The Working Party thanks Microsoft for the constructive collaboration that leads to these positive conclusions."

Similarly, for some time, Microsoft has publicised its dealings with the Dutch financial regulator. In 2012 it was first reported that it had reached an agreement with the Dutch Central Bank in relation to auditors' access to cloud premises. The details of the deal were never very clear and what seemed to have been reached was permission for regulators to enter any cloud premise and little more. But the impression created was one of a provider actively seeking to enable innovative services to overcome regulatory hurdles.

A third example of Microsoft's collaborative approach was its handling of tensions over the future of the US-EU safe harbour agreement. That agreement allows data to be transferred to servers located outside the EU where providers of data storage and processing services are safe habour certified. But uncertainty remains as to whether or not the agreement will continue to have a future, or how it will be shaped, if and when reforms on data protection in Europe are finalised.

In an effort to instill long term trust in its services Microsoft has explicitly said "Should the EU suspend the Safe Harbour Agreement with the US, as called for recently by the European Parliament, our enterprise customers won’t need to worry that their use of our cloud services on a worldwide basis will be interrupted or curtailed", according to the FT.

Trusting your technology partner to engage with the regulator

Developing a reputation built on trust is very different when operating in a B2B environment as compared to a B2C environment. As the leading cloud suppliers look to move from the B2C environment and establish themselves as genuine B2B technology providers, their brands are likely to be affected by their relations with regulators and how they present that relationship. Whereas in the B2C world, consumers are likely to be far less concerned on how suppliers manage relationships with regulators.

Microsoft has for some time been actively concerned about its branding in this regard. Google's follow-up to the 'right to be forgotten' judgment may be its chance to follow suit. It has already set up a mechanism for EU users to use to submit requests for links to personal data to be removed from search rankings. The Article 29 Working Party has already commented positively on this development and said: “As regards Google, the authorities welcome the form swiftly developed by this company as a first step toward compliance with EU law following the CJEU ruling, even if at this stage it is too early to comment on whether the form is entirely satisfactory.”

In reality, both Google and Microsoft have had issues with EU regulators over the last few years. As we have said in previous blogs, part of this is to be expected, as the law fails to keep pace with technology. Microsoft may not be initiating legal change, or influencing the views of regulators as to what is required to comply with the law, any more than Google. But its active engagement and willingness to create the impression that it is working collaboratively with regulators strengthens its position as a provider that can be trusted to further develop and maintain core business technology in regulated sectors such as financial services. This is likely to give major regulated corporate customers much needed confidence.