When it comes to the General Data Protection Regulation, the honeymoon for businesses seems to be over.
Google is the first company to be hit with a serious financial penalty for what France’s National Commission for Informatics and Liberty, known as CNIL, has deemed a violation of GDPR. This week, The Telegraph reported that the U.K.’s Information Commissioner’s Office is also investigating the tech giant’s approach. Google has said it is appealing the CNIL’s decision.
“In common with many other [data protection agencies] in Europe, we have received complaints relating to Google and are reviewing with our EDPB [European Data Protection Board] counterparts partners how these will proceed,” said an ICO spokesman.
As with anything GDPR-related, nothing is straight-forward. Here’s a rundown on the latest implications.
CNIL’s case against Google:
Burying privacy terms so that users have to click five or six times to find details on for example, how their location data is used — and that Google has conflated multiple processing purposes to use personal data to target ads.
95,000: Number of GDPR complaints received by data protection authorities since last May.
42,000: Number of data breach notifications received by DPAs.
€50 million: ($57 million): size of fine French DPA has levied.
Jan. 22: The date the Irish DPA was made the official lead GDPR supervisory for Google’s European operations.
15: Number of statutory investigations open at the Irish DPA, and filed against multinational technology companies. None of these include Google, according to the regulator.
It’s all in the timing
CNIL moved quickly to make its verdict ahead of a key bump in the road: the Irish DPA attaining sole power over the decision of whether to fine Google for breaching GDPR. That’s an authority the Irish DPA was only granted on Jan. 22, the day after the CNIL revealed it had fined Google for violating the law. In GDPR speak, this is known as a “one-stop-shop mechanism” and was put in place so that any business with cross-border operations would only need to deal with one lead DPA — and, in theory, avoid any further confusion. It meant that Google’s U.S. entity was responsible for processing EU user data, whereas now its Irish unit will do so. CNIL headed this off in its announcement, stating that it began investigations long before Google’s one-stop shop mechanism was applicable. All in all, clever timing by the French regulator.
With 28 different member states in the European Union, each with its own national DPA, alignment on the law’s enforcement was always going to be messy. But according to the European Data Protection Board — the body established to ensure consistency and a joined-up approach among the different DPAs of the European Union’s 28 DPAs — as of Jan. 22 the Irish DPA’s Google verdicts are the ones to watch.
“For any potential GDPR violation taking place once Google has a main establishment in the EU, the relevant lead supervisory authority will be the only one, in principle, to take coercive measure against Google,” said an EDPB spokeswoman.
DPA jurisdiction is a minefield
So far, it’s only France’s regulator that has come out with a clear verdict and proposed a penalty for Google. The ICO has confirmed it is liaising with other DPAs in other countries, to discuss the CNIL verdict. The ICO has not confirmed whether or not it will align with CNIL and fine Google, although it has stipulated it is reviewing complaints people have made against Google.
Since the Irish DPA only gained lead regulator for Google in Europe on Jan. 22, the CNIL verdict will stand. But there is a question mark over which and how many DPAs have the right to fine Google in the future.
A spokeswoman for the Irish DPA said that it has received complaints against Google, but that it currently has no plans to investigate the tech giant. However, although the Irish DPA has, in theory, the lead position, other DPAs can still contest its verdicts with relation to Google, according to the EDPB spokeswoman. Any DPA can challenge the decision made by another, and the same goes for the Irish DPA. Should that occur, the decision would then be kicked up to the EDPB, which would facilitate the discussion among the various DPAs.
In other words, should the Irish DPA decide not to fine Google for any proposed GDPR violation, it could be challenged by the other DPAs — who would then discuss it en masse and likely agree to some kind of compromise.
Honeymoon is over
While the majority of GDPR warnings and fines have come from the French regulator, it won’t likely remain that way. The ICO’s decision to look into the CNIL verdict, along with the momentum of various privacy activists continuing to lodge complaints will continue to build, according to publishing and ad tech executives.
“Publishers should be OK, but ad tech vendors should be worried,” said an ad tech executive who spoke anonymously. “They’re [publishers] not mining people’s profiles and using that data to target people across the web. It’s other ad tech vendors that should be worried. And it looks like CNIL has emboldened other DPAs across Europe.”