During the mad scramble for General Data Protection Regulation (GDPR) compliance in the early part of last year, industry analysts were still speculating about the priorities and rigor of the European Union (EU) regulators. Major GDPR fines at the beginning of 2019 have helped to bring some much-needed clarity. The 50 million euro fine handed out to Google by supervisory authorities indicates that regulators are taking the letter of the law very seriously.
Google’s big GDPR violation
Google received the €50 million fine from French regulator CNIL for failing to adequately inform users about their data collection practices, and not giving users enough control over how their information is used.
The complaints were brought by two French privacy advocacy organizations shortly after the new data protection law went into effect in 2018. CNIL found that information on how data is used is not easily accessible enough to users, with important facts scattered across too many different documents. CNIL also found that some of Google’s descriptions of their data processing methods were too vague or unclear.
On this basis, CNIL ruled that the search giant failed to comply with the GDPR by not adequately obtaining the consent of users, particularly emphasizing that consent must be given for each specific purpose of data use rather than *en masse* with one checkbox that covers multiple purposes.
The record size of the fine was based on the number of violations in the French market (given Google’s tremendous user base) and the fact that the violations are continuous and remain unaddressed.
Tech giants in the crosshairs for major GDPR fines?
This was the first GDPR fine for one of the “whales” of the tech world, and also the largest fine levied against anyone to date.
Relatively speaking, the fine is very little to a company that makes in the neighborhood of 30 billion euros per quarter. It was over 10 times larger than any previous GDPR fines, however, and was also relatively lenient in terms of what the GDPR allows. Given that “conditions of consent” were involved, the maximum total of GDPR fines for this sort of infraction could have amounted to as much as 4% of Google’s annual global turnover.
It’s reasonable to believe that this initial fine wasn’t meant so much as a deterrent as it was a warning. Google will have to pause and reconsider how it collects and handles its ream of advertising data, and consumer awareness of protected categories of personal data is likely to increase as GDPR fines like this are handed out.
Though it could potentially be on the hook for larger GDPR fines in the future should they not comply with the CNIL decision, a Google spokesperson has announced that the company plans to appeal.
Perhaps the biggest takeaway from this fine is that it may signal a priority shift for the European data protection authorities. The GDPR fines issued to date have targeted much smaller entities, and the pattern seemed arbitrary – a hospital in Lisbon, a relatively small social media company based in Germany and a local business in Austria that had a CCTV security camera pointing the wrong way. Investigations and GDPR fines are initiated after complaints are made, but one has to assume numerous complaints have already been lodged about nearly any enterprise-scale company that gathers personal data. Observers have been wondering when the floodgates would open for the major tech companies, and this may be the first of many GDPR fines for them in 2019.
Regions of enforcement
The Google case has also clarified which of the data protection authorities will handle GDPR fines involving large multinational companies.
Google is officially headquartered in Ireland, as many other large companies are for tax reasons. The GDPR has the Data Protection Authority (DPA) of the company’s home country take the lead on the investigation, but the wording of the act also specifies that they are able to coordinate with any other member state to deliver GDPR fines if violations occur in other countries.
In this case, the investigation was turned over to the French DPA since the complaints originated there and it was the location of the affected parties. The key to this decision was that Google’s branch in Ireland did not have sole decision-making power in terms of the creation and configuration of new accounts for both Android and their various online services.
Lessons for companies from the Google fine
It is now open season for GDPR enforcement actions, and companies would be wise to keep an eye on these decisions and re-evaluate their data transfer and storage practices as new precedent is established.
End users should also not have to drill down through multiple pages to get a full explanation of how protected data is being used, and wording must be understandable to the average person – no more “legalese.” High standards of transparency are the new normal in the EU.
End user consent cannot also be implied by the creation of an account. Google got in trouble for having certain boxes checked by default, and requiring the end user to go looking for them after account creation to un-check them.
Finally, consent cannot be implied by purchasing and using a device. Google effectively requires you to set up an account with them to make full use of any Android device; for example, you can’t use the Google Play Store (the main and only officially sanctioned source of apps) without one. Even if you do not set up a Google account, there are still some privacy settings that are determined by default when you first start up the device. The GDPR specifies that the setup process of a device has to be separate from setting up any accounts that require giving consent for use of personal data.