On Monday, the Internet giant announced that it's shuttering Google+, its little-used social network, alongside news that a bug had exposed the information of about 500,000 users. In a blog post, Google VP of engineering Ben Smith wrote that the bug was discovered in March, and quickly patched, as part of an audit of third-party apps that tapped into Google+'s API. The bug exposed information marked private by users, but Smith wrote that Google found no evidence the security flaw was abused.
"Given these challenges and the very low usage of the consumer version of Google+, we decided to sunset the consumer version of Google+," he wrote.
Case closed, right? It may not be quite that simple, according to some privacy experts.
Gabriela Zanfir-Fortuna, Policy Counsel for the Future of Privacy Forum and an EU data protection law expert, said that based on the preliminary information, Alphabet likely won't be subject to any EU penalties because the breach was apparently discovered and patched before GDPR took effect in May, but that authorities are looking into the incident.
"The position of the European authorities is that under the GDPR not all security incidents are personal data breaches, so an analysis of all elements of the incident is always needed and the result depends case by case," she added. "The Data Protection Commissioner of Ireland already announced today that they are requesting more information from Google to establish the facts and see if any further action is needed," she said.
In the U.S., the landscape of privacy laws is a bit more complicated. "Our data breach notification laws go state-by-state, but generally follow the same pattern," added Everett Monroe, an attorney with Hanson Bridgett. "The categories you need to notify [consumers] for are relatively limited and deal with things like financial and health care information."
Privacy laws are changing, however, with states such as California preparing to enact more sweeping GDPR-esque consumer privacy rules and a national law under discussion. Last month, executives from Alphabet, Twitter (TWTR) , Amazon (AMZN) Apple (AAPL) and others joined lawmakers on Capitol Hill to discuss what a federal consumer privacy law should look like. And the Google+ incident could cast an unflattering light on the Internet and search giant.
Even if Alphabet isn't subject to any penalties from the Google+ incident, it might mean heightened scrutiny of Alphabet and its many popular products: Gmail, G Suite, Google Maps, and of course its search engine. Despite the ubiquity of Google's products, the company has escaped much of the criticism that's bogged down Facebook (FB) -- in part because many consumers simply aren't aware how its services are interlinked, noted Calli Schroeder of Lewis Bess Williams & Weese.
"I think at the very least, it should invite some consideration of Google's reach," said Schroeder. "It's possible that it's partly Google spreading itself too thin and not having the resources to keep up with privacy requirements."