Back in December, I wrote an article asking why, six months after the European Union’s General Data Protection Regulation (GDPR) had come into force, we had not yet seen any major fines or punishments for firms that had misused or mishandled personal data. The lack of sanctions, I argued, made the new regulatory powers toothless.
That changed last week, after Google was hit with a substantial €50m (£44.1m) fine by the French data regulator.
France’s National Data Protection Commission (CNIL) found that the tech giant was responsible for two breaches under GDPR: there was a lack of transparency around how to access its data policies, and Google lacked valid user consent regarding the personalisation of ads.
As a result of these breaches, CNIL has dished out its first ever GDPR fine – the largest fine so far since the regulations came into force last May.
But how significant is this news? After all, the EU’s antitrust commission slapped Google with a $5bn sanction last year for abusing its dominance in the Android smartphone market. The new fine is a tiny fraction of that, and will likely barely register in terms of Google’s overall finances – it reported yearly turnover of around $31bn in April last year.
However, the monetary cost of the fine is only one part of the story.
First, even for Google, the implications will expand beyond just €50m. The high-profile ruling will have impacted Google’s public image as a trustworthy data company (remember its old “don’t be evil” slogan), and may push people to re-evaluate their relationship with the tech giant.
“This will create a much bigger awareness to the end user that maybe they should be a bit more concerned about what Google is doing with their data and how it’s using it,” says Shaun Hurst, international technical director at electronic communications and data archiving specialist Smarsh.
Second, looking more broadly, the fine serves as a warning shot to the wider tech industry to mend its ways.
GDPR now presents a hurdle to how companies collect and monetise data on the internet, warns Ron Moscona, partner at law firm Dorsey & Whitney.
“Regulators can impose much higher penalties if they choose to,” he says. “The indications are that, after many years of under-enforcement, regulators in the EU are prepared to use GDPR and flex their muscles.”
Targeted advertising is a major source of revenue, not just for Google, but for much of the digital industry – the issue is getting users’ consent to collect their data to personalise these ads.
Tech companies would likely argue that personalisation makes ads more relevant and useful to the end user, but the new ruling directly targets this business model.
“The fine goes way beyond Google,” explains Sonia Cisse, managing associate at Linklaters.
“Companies like Facebook, Amazon, any firms with a similar business model based on the processing of personal data for targeted advertising could be sanctioned with high fines in the near future. CNIL is sending a strong message to companies with business models which are not complying with the requirements of GDPR.”
Obviously, companies should comply with regulations, but many firms are still getting used to how the new rules work. There is a learning curve – mistakes will be made.
But worryingly, the ruling indicates that the GDPR complaints system may be open to abuse.
The CNIL decision wasn’t the result of something the search engine had done recently. The watchdog had been investigating Google and its practices since June 2018 – shortly after GDPR came into force – based on complaints by two activist groups, None Of Your Business and La Quadrature du Net.
These groups, which advocate for digital rights and privacy, claimed that Google had no valid legal basis for processing the personal data of its users.
These activists are not just challenging Google: they have filed similar complaints against Apple, Facebook, Amazon and Microsoft, all of which are currently under investigation by regulators elsewhere in the EU.
It’s important that the tech community keeps an eye on these groups, as they are keen to use the powers granted by GDPR not just to hold businesses to account, but to cause frustration and force them to waste time and money.
Under GDPR, someone can request all of their personal information from a company. This can be expensive and difficult for an organisation to provide, not least in terms of the man-hours necessary to gather it all.
“There are activists out there going to companies to see what havoc they can cause, where they’re not concerned about privacy, but just think ‘I don’t like Google’,” warns Hurst
Google has already announced that it is going to appeal against the decision – not that it had much choice, as accepting the punishment would be seen by the public as implicitly acknowledging fault.
But the tech giant is making an effort to show that this isn’t just about protecting its own skin, and warned in a statement that the implications of the fine may harm “publishers, original content creators, and tech companies in Europe and beyond”.
Google may have a point here: if getting user consent for ad personalisation becomes more difficult, companies and creators will lose money. While consumers and regulators are right to be concerned about user data – especially if it is lost or stolen – an entire industry has been built on personalisation.
There will be casualties – and not all of them will be tech giants like Google which can afford to take the hit.
This ruling might just be the tip of the iceberg. CNIL implied that if Google doesn’t find a different way to do business, it is likely to be hit by further sanctions, and other tech firms currently under investigation may soon be whacked with fines.
European regulators are right to act in order to protect the personal data and privacy of citizens on the internet, and should punish firms that commit wrongdoings. But we must be careful that GDPR is not used and abused to cripple companies as a form of revenge.
Otherwise, the economic damage and loss of jobs will soon outweigh any of the good that GDPR might do.