When it comes to data privacy, a slew of recent, multi-million-pound fines for data privacy breaches, have showed exactly how closely regulators are watching for transgressions.
Already this year the UK’s Ministry of Justice has been served with an enforcement notice (which could lead to a fine of £17.5m) by the ICO; the Internet Advertising Bureau some €250k by Belgian authorities; whilst Google was recently stung with a €150m fine by French authorities. If the first few months are anything to go by, 2022 and beyond may well see a sharp increase in the number and size of fines imposed by regulators.
Given the ever-growing waterfall of fines and enforcement activity, it is forgivable that the significance of the latter, imposed by Commission Nationale de l’Informatique et des Libertés (CNIL), has been overlooked.
For one, the fine was brought under the ePrivacy Regulations for a breach of cookie and tracking rules, rather than under its more famous younger sibling the GDPR. Ultimately, it was found that Google’s website was configured so that giving consent for tracking was easy, but that declining was made much more difficult, requiring numerous clicks. For any businesses with similar practices, this is an expensive shot across the bows and a reminder that regulators will now demand higher standards for proving consent.
Importantly, it also flags a second key trend we may see develop, namely regulators looking for additional ways to reach across borders to fine companies. This can negate companies’ efforts to reduce this risk through creative company structures. In CNIL’s case they simply bypassed the GDPR in going after Google in the US directly and also in Ireland bypassing the Irish enforcer.
The GDPR had established a “one-stop-shop” mechanism where the regulator of the country in which a company was based in had responsibility for investigating privacy breaches and levying fines. With Dublin as home to many of the tech giants, it has proved a controversial burden.
In the words of Robin Berjon, vice-president of data governance at The New York Times, many saw Ireland as a “data haven” whose regulatory “paper tiger” would protect businesses from the barred teeth of the German and French regulatory Rottweilers. The Google fine has shown that regulators will use other tools at their disposal to take direct action. In other words, it has also shown that current thinking on corporate structuring to mitigate the risk of fines by headquartering in the Emerald Isle is not as watertight as some thought.
CNIL justified its action by claiming authority under national e-privacy law and the fact they did not, therefore, have to follow GDPR procedures. In short, it showed that authorities are prepared to act unilaterally, without seeking the consent of their regulatory peers.
There’s also a Brexit dimension to the future of privacy crackdowns. GDPR and ePrivacy regulations are enshrined in UK local law, so a business could still be subject to similar direct enforcement. There have been curious voices wondering whether a more relaxed interpretation of these laws could see the power shift from Dublin to London. But with the much-anticipated Online Safety Bill set to be published, there is little hope for a safe haven for tech giants.
For years, businesses have been developing work around “creative compliance” solutions, but increasingly, this, and their company structures are coming under scrutiny. They have enjoyed a honeymoon of sorts while regulators struggled to catch up, but the tectonic plates have started to shift.