What to know about Google’s GDPR troubles
When it comes to the General Data Protection Regulation, the honeymoon for businesses seems to be over.
Google is the first company to be hit with a serious financial penalty for what France’s National Commission for Informatics and Liberty, known as CNIL, has deemed a violation of GDPR. This week, The Telegraph reported that the U.K.’s Information Commissioner’s Office is also investigating the tech giant’s approach. Google has said it is appealing the CNIL’s decision.
“In common with many other [data protection agencies] in Europe, we have received complaints relating to Google and are reviewing with our EDPB [European Data Protection Board] counterparts partners how these will proceed,” said an ICO spokesman.
As with anything GDPR-related, nothing is straight-forward. Here’s a rundown on the latest implications.
CNIL’s case against Google:
Burying privacy terms so that users have to click five or six times to find details on for example, how their location data is used — and that Google has conflated multiple processing purposes to use personal data to target ads.
95,000: Number of GDPR complaints received by data protection authorities since last May.
42,000: Number of data breach notifications received by DPAs.
€50 million: ($57 million): size of fine French DPA has levied.
Jan. 22: The date the Irish DPA was made the official lead GDPR supervisory for Google’s European operations.
15: Number of statutory investigations open at the Irish DPA, and filed against multinational technology companies. None of these include Google, according to the regulator.
It’s all in the timing
CNIL moved quickly to make its verdict ahead of a key bump in the road: the Irish DPA attaining sole power over the decision of whether to fine Google for breaching GDPR. That’s an authority the Irish DPA was only granted on Jan. 22, the day after the CNIL revealed it had fined Google for violating the law. In GDPR speak, this is known as a “one-stop-shop mechanism” and was put in place so that any business with cross-border operations would only need to deal with one lead DPA — and, in theory, avoid any further confusion. It meant that Google’s U.S. entity was responsible for processing EU user data, whereas now its Irish unit will do so. CNIL headed this off in its announcement, stating that it began investigations long before Google’s one-stop shop mechanism was applicable. All in all, clever timing by the French regulator.
With 28 different member states in the European Union, each with its own national DPA, alignment on the law’s enforcement was always going to be messy. But according to the European Data Protection Board — the body established to ensure consistency and a joined-up approach among the different DPAs of the European Union’s 28 DPAs — as of Jan. 22 the Irish DPA’s Google verdicts are the ones to watch.
“For any potential GDPR violation taking place once Google has a main establishment in the EU, the relevant lead supervisory authority will be the only one, in principle, to take coercive measure against Google,” said an EDPB spokeswoman.
DPA jurisdiction is a minefield
So far, it’s only France’s regulator that has come out with a clear verdict and proposed a penalty for Google. The ICO has confirmed it is liaising with other DPAs in other countries, to discuss the CNIL verdict. The ICO has not confirmed whether or not it will align with CNIL and fine Google, although it has stipulated it is reviewing complaints people have made against Google.
Since the Irish DPA only gained lead regulator for Google in Europe on Jan. 22, the CNIL verdict will stand. But there is a question mark over which and how many DPAs have the right to fine Google in the future.
A spokeswoman for the Irish DPA said that it has received complaints against Google, but that it currently has no plans to investigate the tech giant. However, although the Irish DPA has, in theory, the lead position, other DPAs can still contest its verdicts with relation to Google, according to the EDPB spokeswoman. Any DPA can challenge the decision made by another, and the same goes for the Irish DPA. Should that occur, the decision would then be kicked up to the EDPB, which would facilitate the discussion among the various DPAs.
In other words, should the Irish DPA decide not to fine Google for any proposed GDPR violation, it could be challenged by the other DPAs — who would then discuss it en masse and likely agree to some kind of compromise.
Honeymoon is over
While the majority of GDPR warnings and fines have come from the French regulator, it won’t likely remain that way. The ICO’s decision to look into the CNIL verdict, along with the momentum of various privacy activists continuing to lodge complaints will continue to build, according to publishing and ad tech executives.
“Publishers should be OK, but ad tech vendors should be worried,” said an ad tech executive who spoke anonymously. “They’re [publishers] not mining people’s profiles and using that data to target people across the web. It’s other ad tech vendors that should be worried. And it looks like CNIL has emboldened other DPAs across Europe.”
‘Taking a bite’: Major political and news headlines are sucking up all the oxygen on Facebook
A confluence of national headlines and surging political ad spending appears to be eating into the Facebook referral traffic of several publishers.
Food52 jumps further on the streaming bandwagon with its new OTT app
First building up its long form video content on Xumo and YouTube, the food publisher is planning to display similar content on the OTT app, but will play to a new kind of audience consumption habit: binging.
‘All taking a chance on each other’: Jasper Wang on Defector Media’s collective ownership structure
A group of 18 former Deadspin employees have launched Defector Media with a much more collective ownership structure.
SponsoredIn the race to shore up revenue, publishers are overlooking deal terms
Many publishers are struggling to keep their business models afloat with cookies dying and brands tightening their ad spend in an age of pandemic and recession. To contend with unprecedented challenges, publishers have taken to implementing a wide variety of new tactics. Some are turning to alternate revenue streams, such as subscriptions and affiliate marketing. […]
Member ExclusiveBack in the fold: For many advertisers, just a commitment from Facebook to change is enough to return
Facebook has made several commitments to change the way it handles hate speech on its platform — but we've yet to see many of them in action.
Deep Dive: How media buying execs are adapting to the challenges and changes of 2020 and beyond
The coronavirus crisis has brands and the media they rely on scrambling to adapt to sweeping shifts in consumer behavior and attitudes.