GDPR, we were told, was an attempt to rein in the power of the giant techs and the threat they pose to our privacy. If data is the new oil, as some claim, then others argue that data is the new pollution, the privacy infringing gas. GDPR has been championed as the one weapon that can restore our human right to privacy. And that takes us to Google’s GDPR fine.
For tech’s sake: Reconciling emerging tech and the GDPR
Google LLC, turnover $90 billion in 2017, has been fined barely one per cent of the maximum allowed; it has to fork out just $57 million. (50 million euros)
The fine was applied by CNIL, the French privacy regulator, and was slapped on Google LLC, but the decision was addressed to Google France to make payment, whose turnover was 326 million euros in 2017.
Though Google’s GDPR fine was modest by the standards of one of the world’s largest companies, it does at least dispel one myth: the myth that GDPR is like Y2K. And for Google France, it is a major blow.
The GDPR and Brexit
Not so long ago, cynics were saying of GDPR: ‘It’s a damp squib’. Or ‘It will be just like the millennium bug —Y2K — a load of hype that fizzles into the ether’. Or ‘privacy is for the data protection officer, for the compliance folk, it’s not for me to worry about’. Well now we know that was all wishful thinking. Google’s GDPR fine does at least send GDPR and privacy into the mainstream.
It is not just an IT problem, or a compliance problem, it is mission critical.
In its statement, CNIL notes the fundamental role of lawfulness and transparency in empowering people to have control over their data, and the extent of Google’s processing and targeted advertising, which reveal very personal details about an individual and impacts their fundamental right to privacy, and reminds us that a key aim of the GDPR is to protect fundamental human rights of people, in particular the right to data protection.
Abigail Dubiniecki, privacy lawyer and contributor to Information Age said: “Everyone’s focused on the fines but there’s so much more. We now have case law that gives us – using real-life facts – a list of do’s and don’t in conveying privacy information. One key takeaway: if it takes 6 or 7 clicks to learn what Google’s doing with your data and how that might impact you, that’s not transparency. And wrapping it altogether under a click-wrap consent blanket doesn’t give you valid consent. That’s decision architecture designed to obfuscate, frustrate, and tick a compliance box. I call this the ‘pseudo-consent carousel’. You’re so dizzy at the end of all those clicks and turns you’ll do anything to make it stop and get on with your life, like , well, tick a box that says I consent to everything. Have my first-born (and his data too!). You won’t be any wiser for it, but you’ll know you’ve been taken for a ride.”
We risk a digital crisis in 2019 akin to the 2008 banking crisis, warns data privacy lawyer
CNIL, said that “Google…should have ensured it had valid consent and that it properly informed users of what it was doing. Google has four months to appeal the decision.
“Even if, as Google suggested, only 7% of users were affected (i.e. the ones who felt they had to create a Google account to use the Android devices) the number is significant. Moreover, the number of Android users already having an account is much higher and their experience in terms of the ongoing processing is virtually the same as the new account holders.”
CNIL also believed that “this was an ongoing non-compliance issue, persisting even at the time of the decision, not a one-off. Also, the processing and targeted advertising were/are key parts of Google’s business model and Google should have taken the care to ensure it got its GDPR obligations right.”
If Google appeals, the amount of the fine it could be revised upward.
Regarding the level of the fine, Abigail added: “I think the fine issue is overblown, especially in light of competition law fines they receive. But there are bigger implications for this decision as I said earlier. They built their entire business model on a house of cards. They can’t say they have consent, so they have no lawful basis to use this data. That opens the door to a right to be forgotten over the whole lot, including potentially the data used for targeted advertising, and other lawsuits. There’s nothing stopping copycat lawsuits before other regulators like the ICO because Google LLC can’t use the one-stop-shop. But Google’s now been outed as specifically designing its privacy notices to hide information and twist people arms. They make the consequences of not getting a Google account crystal clear in context at set-up. But privacy info is hidden and fragmented and crucial parts only delivered after the fact. With this decision on the record the rest of the companies relying on similar practices (I’m talking to you Oath) can’t pretend they thought they were compliant. This sets a precedent that strikes at the heart of Google’s business model which seems to be no-Privacy-by-Design.”
GDPR anniversary: has the regulation backfired? What next?
“But on the fine, I wonder if they miscalculated. It is so small. Just to illustrate, a former Google employee, in an article from Feb 2018, said if he made a $10 million USD mistake he would be required to do a post-mortem and lessons learned but he wouldn’t get fired because it didn’t have a huge impact on Google’s bottom line. If Google appeals, the amount of the fine it could be revised upward… that’s risky…”
Even so, Google’s GDPR fine could be just the start of bigger things to follow.