By David Meyer
January 22, 2019

Good morning. David Meyer here, filling in for Alan from Berlin.

Yesterday the EU’s much-feared General Data Protection Regulation (GDPR) truly bit for the first time. Wielding the new law, the French privacy regulator slapped Google with a $57 million fine for the way it railroads people into “consenting” to having their data processed, for advertising purposes, when they set up an account.

Google was not transparent about the way it would use the data, said the watchdog, CNIL, as it spread that information over multiple documents. Much of the information was also “too generic and vague,” so the consent people ended up giving Google was neither “specific” nor “unambiguous” — the GDPR requires it to be both. Google therefore didn’t have a legal basis for its data-processing.

The fine was certainly a record-breaker — in the eight months since the GDPR took effect, the previous record was around $450,000 — but is it really enough to hurt Google? Given that Google’s annual revenues exceed $100 billion, that’s the question a lot of people have been asking. But they risk missing the point of the privacy regulation in several ways.

The GDPR is all about changing the behavior of companies that trample over Europeans’ fundamental privacy rights, and the initial fine is just part of the toolkit it gives regulators. The target still needs to fix the problem — if they don’t, regulators have the nuclear option of ordering them to stop transferring data out of the EU.

On top of that, the further the situation escalates, the more reputational damage the company will suffer. As the GDPR allows people to claim compensation for their rights being violated — with a threshold of proof that’s way lower than in the U.S. — the costs can rack up quickly.

Remember too that this is just one investigation. If people complain again, that can mean further fines. Also yesterday, the Swedish data protection authority opened a new GDPR investigation into Google over the way it collects and uses Android users’ location data.

Ultimately, CNIL could have fined Google billions — the maximum fine under the GDPR is 4% of global annual revenue. But this wasn’t the end of the matter. This was a warning shot. And it’s not just Google that should be taking it seriously.

More news below.

David Meyer


You May Like