After months of speculation about GDPR enforcement, French regulators handed Google a EUR 50 million fine for failing to properly obtain valid user consent to gather data used for targeted advertising. The first significant GDPR fine raises many questions for businesses, big and small. Let's consider some of the implications.
We also published a write-up of the most interesting developments concerning GDPR earlier this month.
How Google Violated GDPR
Briefly, France’s National Data Protection Commission (CNIL) identified the following problems (in French) with Google’s handling of personal data.
- Google violated rules requiring information about data collection to be transparent. Full information on data-processing purposes and data-storage times were not all presented in the same place. CNIL appears to have weighed heavily the fact that Google contains vast amounts of data about individuals, stating: “the infringements observed deprive the users of essential guarantees regarding processing operations that can reveal important parts of their private life since they are based on a huge amount of data, a wide variety of services and almost unlimited possible combinations.”
- Boxes giving consent to certain data-processing practices were pre-checked, which is a violation of the GDPR.
These shortcomings led CNIL to conclude that Google had failed to obtain appropriate consent from users for serving personalized ads. The investigation into Google’s privacy practices was launched on May 25th, 2018, the day the GDPR entered into force after two groups of privacy activists launched complaints against Google. In response to the fine, Google said that is studying the decision to determine its next steps. The company can appeal the decision.
Update 23/01/2019: Google confirmed on Wednesday that it will appeal the fine.
Implications of the Google GDPR Fine
While significant in absolute terms, the EUR 50 million fine only represents roughly 0.05% of Google’s USD 110.8 billion revenue in 2017, a far cry from the maximum fine of 4% global revenue that could have been imposed. While still a relatively small percentage, the fine is the by far the largest amount imposed by any national regulator since the entry into force of the new law. Moreover, it represents the starting line for a possible wave of enforcement actions as national regulators start wielding the tool and testing the boundaries. Many companies, including many of Silicon Valley's tech giants, engage in data-processing practices similar to Google. It seems likely that European regulators will pursue other tech companies for similar practices.
The action also makes it clear that practices that were once considered “good enough” prior to the introduction of the GDPR are no longer legal. In order for the secondary processing of personal data (commonly referred to as big data) to be legal under the GDPR, companies need to ensure that their safeguards take into account the following factors: (a) the secondary processing must be compatible with the original purpose for which the data was collected, (b) use only the minimum amount of data necessary for the purpose for which it is processed; known as Data Minimization, and (c) satisfy a “balancing of interests” test. This GDPR enforcement action against Google makes it clear that companies need to be explicit towards users about how and for which purposes their data is being processed, particularly when the number of services for which the data is used is high, as is the case with Google. Expect scrutiny towards big data practices to increase.
Despite the fact that Google allows users to modify their privacy settings when they create an account, CNIL faulted the company for serving users personalized ads as the default setting. The move suggests a strict attitude from CNIL towards consent going forward.
What to Expect Going Forward
The interesting question is how other Data Protection Authorities (DPAs) will react to this decision. As the CNIL determined in this enforcement action that Google did not have a "main establishment" at the time the complaint was investigated, any European DPA would have been equally competent to bring an enforcement action. Following CNIL's enforcement action, other European DPAs may now attempt to bring actions against Google over the same facts pertaining to their nationals. This could potentially increase the pain beyond the EUR 50 million fine by ramping up the pressure on Google to change its practices.
However, CNIL will not be able to order changes to Google’s data handling practices alone going forward. It will primarily have to work together with Ireland’s Data Protection Commissioner (DPC). Ireland’s DPC became Google’s primary privacy regulator in the EU following changes to Google’s terms and conditions on January 22nd of this year. This also means that the GDPR's "one-stop-shop" mechanism should now apply to Google, meaning that enforcement actions against the company can now only be coordinated by Ireland's DPC. This is provided Google's designation of Ireland as its lead DPA won't be challenged by other European DPAs.
While the fine levied by CNIL may be nothing more than a drop in the ocean for Google, the potential changes the technology giant will be forced to make to its data-processing practices in the European Union could fundamentally call into question its business model. Ultimately, the risk for Google is that once users realize how their personal data is being used, many users may start opting out of being served personalized advertisements.