On January 21, 2019, the French data protection regulator CNIL fined Google €50m ($57m) for breaching aspects of the General Data Protection Regulation (GDPR), which came into effect across the EU in May 2018. Since the law was introduced, the industry has been watching carefully to see how the first instances of noncompliance play out. Google is the first tech company to face a fine under the GDPR framework.
The CNIL has fined Google for failing to provide users with transparent and understandable information on its data use policies as prescribed by the GDPR.Finally, we are seeing how regulators are responding to the GDPR in terms of interpretation and application since it was enacted in May 2018. The maximum fine under GDPR is 4% of global annual turnover, or €20m ($22.7m), whichever is higher. Theoretically, this means that Google could be fined almost €4bn ($4.5bn). However, in this case, the French data protection regulator has settled on €50m ($57m). On the face of it, this is not a very large amount for the firm, and the GDPR has the potential for significantly larger fines. The regulator has stated that the figure reflects the continuous and ongoing nature of the violations.
According to the regulator, the tech giant failed to meet two key requirements of the regulation:
It was not transparent with users about how their data is being used.
It did not obtain adequate consent from users to monetize their data.
It is not surprising that the first fine levied under GDPR was a result of a lack of transparency. As Ovum'sAn Overview of the EU's General Data Protection Regulation (GDPR) reportoutlines, one of the main challenges faced by companies when implementing the GDPR involves the transparency and information requirements of the law. The level of information required to be provided to data subjects is significant, creating greater risk that controllers could get this wrong. Considering a tech giant such as Google has been caught out, it is clear that many other organizations should be concerned. According to Ovum data, 28% of companies were aware they were not compliant with the EU's GDPR following its implementation, and 37% were choosing to ignore it. It remains to be seen whether EU regulators will target smaller businesses or, as some tech companies in Silicon Valley fear, the priority will be to penalize US giants.
Data protection and privacy regulation will certainly remain at the top of the regulatory agenda for years to come, and further cases of noncompliance are likely. Consumer awareness of data protection has been increasing, particularly regarding the value of personal data. Therefore, companies should use GDPR as an opportunity to increase trust and confidence in how they store personal data. By moving away from the idea that GDPR is purely a tick-box exercise, companies can instead see it as an ongoing compliance requirement. The long-term trend will be toward building a robust global privacy program that not only focuses on GDPR but is more sustainable and implements the "privacy-by-design-and-default" concept.
OTT Regulation Tracker: 2H18, GLB005-000105 (January 2019)
An Overview of the EU's General Data Protection Regulation (GDPR), GLB005-000075 (September 2018)
2019 Trends to Watch: TMT Regulation, GLB005-000077 (August 2018)
"Digital Futures 2018: Accelerating growth in a data-driven world," GLB005-000090 (September 2018)
Sarah McBride, Analyst, Regulation