French National Data Protection Commission on Monday announced a €50 million fine being imposed on Google over violations of the General Data Protection Regulation, the European Union’s strict new privacy law that went into effect in mid-2018. The penalty that amounts to almost $57 million marks the first major transgression of the new law and one that was preceded by over half a year’s worth of investigations.
The CNIL’s case against Google started in late May when the agency received collective complaints from reputable associations that delivered reports about Google’s supposedly dishonest data policies, having been signed by thousands of individuals, according to CNIL’s estimates. As per the official conclusions of the probe, Google failed to inform its users of the type and extent of data it collects on them and also did not obtain proper consent to do so in the first place, thus being in direct violation of several GDPR articles.
New year, old Google
Google’s issues with some high-profile European regulators and legislators hence appear to have continued in 2019, with the firm still facing scrutiny from competition chief Margrethe Vestager who already hit it with two historic sanctions for antitrust behavior over the last two years, alleging Alphabet’s subsidiary wrongfully benefitted from having omnipresent ecosystems Android and Search promote its app at a direct expense of services trying to compete. While this $57-million equivalent fades in comparison to almost $7 billion in fines already attached to Google (still a completely negligible amount for a company this size) by the European Commission’s competition panel, GDPR actually has a highly flexible system when it comes to fine sizes and Google could be risking up to two percentage points of its annual revenue otherwise.
A law like no other
GDPR itself is not terribly complicated to grasp as it’s the only solution that all EU member states managed to agree to implement several years back. The legislation has already been cited on numerous occasions, including serving as the basis for day-one GDPR complaints. Coincidentally, those targeted Google as well. The United States government flirted with the idea of drafting and enacting something akin to GDPR in recent times but given the current ideological divide in Congress, such a complex bill doesn’t appear to be possible over the next two years. California already has one as of last year and the technology segment itself is now actually welcoming such regulatory changes as it would much prefer having to conform to a single, federal-level rulebook instead of 50 state-specific ones, which also means 50 different projects, making app and service development significantly more difficult.
And while Google is currently saying it’s reviewing the CNIL’s decision, the company’s track record with rulings, verdicts, and any form of administrative decisions it doesn’t view favorably suggests it will be looking to exhaust all of its legal options before footing the sizable ticket delivered by the French privacy watchdog. The technology juggernaut is hence expected to share an update on the situation later this year and face more similar accusations moving forward as disagreements over what “common-sense” terms-of-service agreements even are.