Governance, Risk & Compliance: GRC
Google Feels the Brunt of GDPR Enforcement
Search engine giant becomes first big tech company to fall foul of tough data privacy regulations as French data watchdog dishes out a landmark fine. Could the floodgates be opening for more of Silicon Valley’s tech behemoths to face the guillotine?
Last week France opened a new chapter in data protection when its data watchdog National Commission on Informatics and Liberty (CNIL) slapped search engine giant Google with a €50 million (equivalent to US$57 million) fine on Monday for violating EU privacy law.
Though not the first GDPR fine to have been issued by a European regulator, it’s by far the biggest and the first time one of the tech giants has been snared by the tough new regulation. By hitting Google hard in the coffers, CNIL has set a benchmark for other European data protection authorities, who so far have been somewhat uncertain and hesitant about how exactly to use them.
Well, last Monday’s announcement has decisively lifted that uncertainty by handing down a penalty that dwarfs the £500,000 that the UK fined Facebook last October over the Cambridge Analytica scandal, the €400,000 that Portuguese authorities fined one the country’s hospitals after its staff used bogus accounts to access patient records, and Germany’s €20,000 penalty for chat app service Knuddels.de for storing social media passwords in plain text. Plus, the Austrian Data Protection Authority’s €4,800 fine for a retail establishment that came under fire for having a security camera that was filming a public sidewalk. Peanuts compared to the CNIL’s.
So what exactly is Google being charged with? Well, the French data protection watchdog said Google – whose 20-year success has been built on harvesting the personal data of millions to sell targeted ads – had violated EU privacy rules because it did not properly ask its users for consent on how to use their personal data with regards to personalized ads. In other words, Google is not seeking ‘unambiguous’ consent for all the various ways it processes data, but limiting the steps by pre-ticking certain boxes – in violation of the GDPR principle in which companies are required to gain the user’s “genuine consent” before collecting their information, which means making consent an explicitly opt-in process that’s easy for people to withdraw.
In order for Google to become fully GDPR compliant it would have to start seeking consent to process data for each of its services. Each additional step is a new chance for consumers to opt out of sharing their data, a prospect that could have far-reaching implications not just for Google, but for any organizations, large or small, that relies on collecting data to make money.
And for these reasons the search engine giant has chosen to appeal, claiming it had “worked hard” to create a transparent and straightforward GDPR consent process for its ads personalization settings, and was “concerned about the impact of this ruling on publishers, original content creators and tech companies in Europe and beyond”.
Time will tell if Google will or will not pay the penalty, but one thing is certain – GDPR has awakened the world to the importance of data. While data protection authorities take stock of the French watchdog’s move, organizations will no doubt be keeping tabs as the saga unfolds and sizing up their options. Do they carry on as they did before on the assumption that further fines are unlikely for Google was a target to be hoisted up as an example to all? Or, will they look at this strong enforcement of GDPR and double-check themselves and amend consent-gathering practices to make sure that users, at least in Europe, are selecting OK? In all honest, they’d be foolish not to.
Meanwhile across the Atlantic, with similar data privacy laws in California and Washington state, along with proposed legislation in New Jersey and other states, US organizations could also be forced to rethink data privacy as well. Welcome to a new age of data privacy!