What to know about Google’s GDPR troubles
When it comes to the General Data Protection Regulation, the honeymoon for businesses seems to be over.
Google is the first company to be hit with a serious financial penalty for what France’s National Commission for Informatics and Liberty, known as CNIL, has deemed a violation of GDPR. This week, The Telegraph reported that the U.K.’s Information Commissioner’s Office is also investigating the tech giant’s approach. Google has said it is appealing the CNIL’s decision.
“In common with many other [data protection agencies] in Europe, we have received complaints relating to Google and are reviewing with our EDPB [European Data Protection Board] counterparts partners how these will proceed,” said an ICO spokesman.
As with anything GDPR-related, nothing is straight-forward. Here’s a rundown on the latest implications.
CNIL’s case against Google:
Burying privacy terms so that users have to click five or six times to find details on for example, how their location data is used — and that Google has conflated multiple processing purposes to use personal data to target ads.
95,000: Number of GDPR complaints received by data protection authorities since last May.
42,000: Number of data breach notifications received by DPAs.
€50 million: ($57 million): size of fine French DPA has levied.
Jan. 22: The date the Irish DPA was made the official lead GDPR supervisory for Google’s European operations.
15: Number of statutory investigations open at the Irish DPA, and filed against multinational technology companies. None of these include Google, according to the regulator.
It’s all in the timing
CNIL moved quickly to make its verdict ahead of a key bump in the road: the Irish DPA attaining sole power over the decision of whether to fine Google for breaching GDPR. That’s an authority the Irish DPA was only granted on Jan. 22, the day after the CNIL revealed it had fined Google for violating the law. In GDPR speak, this is known as a “one-stop-shop mechanism” and was put in place so that any business with cross-border operations would only need to deal with one lead DPA — and, in theory, avoid any further confusion. It meant that Google’s U.S. entity was responsible for processing EU user data, whereas now its Irish unit will do so. CNIL headed this off in its announcement, stating that it began investigations long before Google’s one-stop shop mechanism was applicable. All in all, clever timing by the French regulator.
With 28 different member states in the European Union, each with its own national DPA, alignment on the law’s enforcement was always going to be messy. But according to the European Data Protection Board — the body established to ensure consistency and a joined-up approach among the different DPAs of the European Union’s 28 DPAs — as of Jan. 22 the Irish DPA’s Google verdicts are the ones to watch.
“For any potential GDPR violation taking place once Google has a main establishment in the EU, the relevant lead supervisory authority will be the only one, in principle, to take coercive measure against Google,” said an EDPB spokeswoman.
DPA jurisdiction is a minefield
So far, it’s only France’s regulator that has come out with a clear verdict and proposed a penalty for Google. The ICO has confirmed it is liaising with other DPAs in other countries, to discuss the CNIL verdict. The ICO has not confirmed whether or not it will align with CNIL and fine Google, although it has stipulated it is reviewing complaints people have made against Google.
Since the Irish DPA only gained lead regulator for Google in Europe on Jan. 22, the CNIL verdict will stand. But there is a question mark over which and how many DPAs have the right to fine Google in the future.
A spokeswoman for the Irish DPA said that it has received complaints against Google, but that it currently has no plans to investigate the tech giant. However, although the Irish DPA has, in theory, the lead position, other DPAs can still contest its verdicts with relation to Google, according to the EDPB spokeswoman. Any DPA can challenge the decision made by another, and the same goes for the Irish DPA. Should that occur, the decision would then be kicked up to the EDPB, which would facilitate the discussion among the various DPAs.
In other words, should the Irish DPA decide not to fine Google for any proposed GDPR violation, it could be challenged by the other DPAs — who would then discuss it en masse and likely agree to some kind of compromise.
Honeymoon is over
While the majority of GDPR warnings and fines have come from the French regulator, it won’t likely remain that way. The ICO’s decision to look into the CNIL verdict, along with the momentum of various privacy activists continuing to lodge complaints will continue to build, according to publishing and ad tech executives.
“Publishers should be OK, but ad tech vendors should be worried,” said an ad tech executive who spoke anonymously. “They’re [publishers] not mining people’s profiles and using that data to target people across the web. It’s other ad tech vendors that should be worried. And it looks like CNIL has emboldened other DPAs across Europe.”
Member ExclusiveMedia Briefing: How sportsbooks are placing bigger bets on sports media outlets
In this week's Media Briefing, media editor Kayleigh Barber looks at how sports betting companies are pushing more money to publishers.
As the FTC takes aim at tech giants, the regulator just lost key tech and data privacy leaders
The FTC has just nine technologists, and three recent departures could stymie its hiring goals.
Omnicom Media Group signs onto Disney’s new clean-room offering as it also launches a brand purpose initiative
The media agency network's brand purpose initiative hits on misinformation, fraud, ethics and DE&I issues; it's also the first agency signed up to Disney's new clean-room offering.
SponsoredThree ways brands are tapping into the fan psyche to cultivate connection
Mukta Chowdhary, vp cultural insights, WarnerMedia Recently published research, Welcome to the Age of Intentionalism, reinforced what brands already know: 2020 was not without its challenges, but the industry also witnessed a birth of intentionality by consumers — they formed new habits, renounced old ones and gained clarity on what mattered most to them. As consumers […]
Member ExclusiveCase Study: How Dentsu is pushing advertisers to embrace brand integrity
After 2020, brands got serious about brand safety, taking steps to ensure media placements weren't appearing alongside harmful content. At Digiday's Media Buying Summit, Dentsu's Brand Safety team talks about what it'll take to create industry wide media buying standards.
‘I think it’s all talk’ about DE&I: Overheard at Digiday’s Media Buying Summit
Participants in a breakout session at Digiday's Media Buying Summit ripped away the proverbial band-aid that might have made anyone feel significant progress is being made on DE&I in the media agency world.