When the European Union’s massive data privacy regulation went into effect last May, companies dealing in EU residents’ data had a big question yet to be answered: How vigorously would it be enforced?
Now, with Google facing an eight-figure fine and major streaming services facing new complaints, companies are getting a better sense of what’s at stake if they’re found noncompliant with the General Data Protection Regulation, or GDPR. But still more questions remain, such as when the EU will come after smaller multinational companies for GDPR violations and which European data regulators might come knocking when that happens.
On Jan. 21, Google was fined about $57 million for what a French data protection authority called a lack of transparency, information and user consent regarding how the company personalizes ads. The fine — the first that a U.S. tech company has been issued under the GDPR — stemmed from a complaint filed against Google on May 25, the day the regulation took effect.
Adopted in 2016, the GDPR imposes a host of requirements on companies that collect or process EU residents’ personal data. The French data protection authority, CNIL, found Google to have violated the regulation’s “genuine consent” requirement, under which a user must explicitly opt in to having his or her data shared. Google disclosed to users how it would process their data, according to CNIL, but it spread that information across several online documents, making “the relevant information … accessible after several steps only, implying sometimes up to five or six actions.”
The data regulator also said Google violated the GDPR by having ad personalization options “pre-ticked” when users create an account, requiring them to opt out rather than opt in.
Deborah Shinbein Howitt, a director at Lewis Bess Williams & Weese in Denver who advises on data privacy law, said the Google fine is a signal that EU regulators are serious about enforcing GDPR standards on companies, including those based in the U.S.
Still, the regulators appear to be “starting out a bit slow” in terms of doling out punishment, Shinbein Howitt said. Companies can face GDPR fines as high as 4 percent of their global revenue from the previous year or $23.6 million U.S. — whichever is higher. “Google could have been fined in the billions,” Shinbein Howitt said, adding that higher fines “will likely be coming” in future actions.
What the Google action shows is that European regulators want companies to make it “very easy for people to see and understand what’s going on with their data,” Shinbein Howitt said. That can be an especially difficult task for a company like Google whose data collection and processing activities are massive in scope, she added.
“What we haven’t seen yet is smaller multinational companies getting hit,” said Liz Harding, a shareholder at Polsinelli’s Denver office who practices international data privacy law. Google had been in the EU’s crosshairs for some time, Harding noted, adding that it remains to be seen how aggressively European regulators pursue smaller U.S. companies and those who don’t have an EU headquarters that are nonetheless subject to the GDPR.
“If that were to happen, it would be a real shocker to U.S. companies,” Harding said.
Notably, France’s data regulator took charge of investigating the complaint against Google, and not the regulator in Ireland. The GDPR allows companies to have a “one-stop shop” in the EU, which essentially designates a single data regulator for them to deal with despite having operations across several EU nations. Google insisted that its Irish subsidiary was its main establishment in the EU, but CNIL disagreed, arguing that Google’s decision-making over Android-related data is based in the U.S., so it has no main establishment in the EU.
“I think this jurisdiction piece is one of the most important takeaways from [the fine],” Harding said. Some U.S companies that are on the hook for the GDPR don’t have any operations in the EU, so they can’t avail themselves of the one-stop-shop option. That makes it hard for them to predict which agency they’ll be dealing with should they ever face a GDPR complaint. “We’ve been grappling with this for various clients,” Harding said.
Google plans to appeal the fine, and the appeals process should bring to light more details on how CNIL’s jurisdiction was determined, Harding said.
The data privacy activist group that brought the original complaint against Google, noyb, also issued a new wave of GDPR complaints Jan. 18. The watchdog, whose name stands for “none of your business,” claims Apple, Netflix, Amazon, Spotify, and four other streaming services violated the GDPR’s “right to access” provisions.
Article 15 of the GDPR allows users to request a copy of all raw data a company has about them, including information about where they send that data and from where they receive it. The noyb complaints allege that companies are using automated response systems to address these data access requests, but that those systems aren’t providing users all of the information the GDPR requires.
The complaint against Apple, for example, said it failed to provide information about the purposes of the personal data it processed or who receives it.
“That was pretty surprising” to see that such large sophisticated companies possibly fell short of those requirements, Shinbein Howitt said. She added that those GDPR shortcomings would similarly be a risk for smaller companies with presumably fewer compliance resources.
— Doug Chartier