Google has been hammered with a massive fine by France’s CNIL data watchdog | Leon Neal/Getty Images
Eight months after Europe imposed sweeping new privacy rules, France has opened a new chapter in data protection — one of sanctions, fines and tough enforcement.
Not only has France’s CNIL data watchdog issued the largest ever financial penalty for a privacy breach in Europe — €50 million — it also chose the biggest possible target for enforcement — a Silicon Valley giant whose success was built on harvesting the personal data of millions to sell targeted ads.
The penalty caps a lengthy period of uncertainty during which Europe’s data protection authorities, having been granted vast new powers under the General Data Protection Regulation in May, hesitated about how exactly to use them. Now Isabelle Falque-Pierrotin, who’s in charge of France’s National Commission on Informatics and Liberty (CNIL), has decisively lifted that uncertainty by handing down a penalty that dwarfs the £500,000 that Britain fined Facebook last October over the Cambridge Analytica scandal.
In doing so, Falque-Pierrotin set a benchmark for other European data protection authorities — her parting gift as outgoing chair.
Google’s base of operations for Europe, Middle East and Africa is in Ireland, a low-tax destination where the company has more than 7,000 staff compared to hundreds in France.
“We’re deeply committed to meeting those expectations and the consent requirements of the GDPR” — Google spokesman
Yet it was the French regulator, not Ireland’s Data Protection Commission, that took the lead on investigating and ultimately fining Google over an alleged breach of GDPR, hinting at disparities in culture between different EU countries that share the same basic privacy rulebook. (The complainants behind the fine, Austrian privacy campaigner Max Schrems and France’s Quadrature du Net advocacy group, originally filed their complaints in France.)
The move by Falque-Pierrotin, who’s due to be replaced by Marie-Laure Denis at the end of this month, also raises serious questions about the business model of companies that rely heavily on harvesting and processing data to make money.
A matter of consent
In a statement accompanying its announcement, the CNIL specified that it is sanctioning Google over a “lack of transparency, inadequate information and lack of valid consent regarding regarding the ads personalization.”
In other words, Google is not seeking “unambiguous” consent for all the various ways it processes data, but limiting the steps by pre-ticking certain boxes — in violation of the GDPR principle by which users need to OK each specific use of their data.
In order to become fully compliant, the statement suggests that Google would have to start seeking consent to process data for each of the many services it provides. Each additional step is a new chance for consumers to opt out of sharing their data, a prospect that could have far-reaching implications not just for Google, but for any company that relies on collecting data to make money.
The CNIL acknowledges the business impact, pointing out “that the economic model of the company is partly based on the ads personalization. Therefore, it is of utmost responsibility to comply with the obligations on the matter,” according to its statement.
In response to the decision, a Google spokesperson said the firm was “studying the decision to determine our next steps.” The spokesperson added: “People expect high standards of transparency and control from us. We’re deeply committed to meeting those expectations and the consent requirements of the GDPR.”
However, the company did not specify whether or how it plans to change it consent practices, or if it would appeal against the ruling.
‘Way beyond Google’
With so much attention focused on data scandals ranging from the Facebook/Cambridge Analytica breach to a major breach at Google+, the search giants’ critics welcomed the fine.
“We are very pleased that for the first time a European data protection authority is using the possibilities of GDPR to punish clear violations of the law,” said Schrems, an Austrian privacy campaigner.
The 31-year-old lawyer by training has several other lawsuits pending against big U.S.-based tech companies, including Facebook, notably in Ireland. Monday’s decision adds a notch to his belt and hints that other GDPR fines, targeting other big Silicon Valley brand names, may be looming.
“This decision goes way beyond Google”— Sonia Cissé, managing associate at law firm Linklaters
Like Google, Facebook, LinkedIn, Amazon and Twitter also thrive, at least in part, thanks to users’ personal data. Now their consent-gathering practices are also likely to be scrutinized, while the threat of fines has become more real than ever.
“This decision goes way beyond Google,” Sonia Cissé, managing associate at law firm Linklaters, said in an emailed statement.
As other data protection authorities take stock of the CNIL’s move, tech firms will be sizing up their options. One is to carry on as they did before on the assumption that the CNIL wanted to make an example of Google, and that further fines are unlikely. The other is to amend consent-gathering practices to make sure that users, at least in Europe, are ticking OK to every last purpose for which their personal data is to be used.
Schrems said: “Following the introduction of GDPR, we have found that large corporations such as Google simply ‘interpret the law differently’ and have often only superficially adapted their products. It is important that the authorities make it clear that simply claiming to be compliant is not enough.”
The GDPR only applies to EU subjects, so the CNIL’s move should not immediately affect Google’s practices in the United States. The financial impact of a €50 million fine, if Google ends up paying it, will barely register as a blip on the company’s balance sheet.
But soon enough, digital giants may be facing similar rules in the United States. California has already passed state privacy legislation that echoes the spirit of the GDPR, and other states are following in its footsteps. A federal privacy law is, at this point, a “historical inevitability,” Microsoft President Brad Smith told POLITICO.
He added during a meeting with journalists in Brussels: “This is the year privacy jumped the Atlantic.”