GDPR strikes Google

France fines the tech giant 50 billion Euros under the EU’s new privacy regulations, the General Data Protection Regulation, which was implemented in May 2018.

Google is the first major tech company to be fined since the induction of GDPR rules.

Background

The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). It also addresses the export of personal data outside the EU and EEA areas. The GDPR aims primarily to give control to individuals over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.

Superseding the Data Protection Directive 95/46/EC, the regulation contains provisions and requirements pertaining to the processing of personal data of individuals (formally called data subjects in the GDPR) inside the EEA, and applies to an enterprise established in the EEA or—regardless of its location and the data subjects' citizenship—that is processing the personal information of data subjects inside the EEA.

Businesses must report any data breaches within 72 hours if they have an adverse effect on user privacy. In some cases, violators of the GDPR may be fined up to €20 million or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater.

The GDPR was adopted on 14 April 2016 and became enforceable beginning 25 May 2018. As the GDPR is a regulation, not a directive, it is directly binding and applicable.

Analysis

Google has become the first US tech giant to be fined under the EU’s new privacy rules after it was slapped with a €50m penalty for failing to be transparent about how it uses data and not having a legal basis for personalising ads.

France’s data protection office, CNIL, found the US search engine guilty of breaking the General Data Protection Regulation in a decision that will heighten concerns among other tech companies, data brokers, credit reference agencies and advertising groups facing similar complaints under GDPR. The regulator said Google’s users are not able to fully understand how the company uses data because its disclosures are too “generic and vague” and spread across lots of different screens and documents.

The watchdog said measures implemented by Google to head off privacy fines, such as new documents and tools for users, did not go far enough. It raised particular concerns about Google’s approach to seeking consent for ad targeting.

The decision will force Google to reconsider how it seeks consent to collect data for its multibillion-dollar advertising business in Europe. Google said it was “studying the decision to determine our next steps”.

CNIL’s fine follows an investigation triggered by complaints from non-profit organisations None of Your Business and La Quadrature du Net. None of Your Business was set up by activist lawyer Max Schrems, who has previously succeeded in a privacy complaint against Facebook.

Mr. Schrems filed complaints against Google’s Android operating system and Facebook, as well as Facebook’s messaging app WhatsApp and photo-sharing network Instagram following the introduction of GDPR last May. None of Your Business has since asked regulators to investigate Netflix, Google’s YouTube, Amazon, Apple and Spotify.

Other organizations have filed complaints under GDPR, with campaign group Privacy International accusing data broker Acxiom, software giant Oracle, credit rating agencies Experian and Equifax and adtech companies Criteo, Quantcast and Tapad of breaking the new privacy rules.

Analysts said the decision from CNIL could pave the way for a wave of fines by establishing how GDPR should be interpreted. The rules are the most far-reaching in the world, requiring “informed and specific consent” and giving regulators the power to issue fines of up to €20m, or 4 per cent of a company’s annual turnover — whichever is largest.

Assessment

Our assessment is that the European Union has made it abundantly clear that simply claiming to be a complainant is not sufficient. It appears that large business enterprises like Google interpret the law differently and may have only superficially adapted the products.