What to know about Google’s GDPR troubles
When it comes to the General Data Protection Regulation, the honeymoon for businesses seems to be over.
Google is the first company to be hit with a serious financial penalty for what France’s National Commission for Informatics and Liberty, known as CNIL, has deemed a violation of GDPR. This week, The Telegraph reported that the U.K.’s Information Commissioner’s Office is also investigating the tech giant’s approach. Google has said it is appealing the CNIL’s decision.
“In common with many other [data protection agencies] in Europe, we have received complaints relating to Google and are reviewing with our EDPB [European Data Protection Board] counterparts partners how these will proceed,” said an ICO spokesman.
As with anything GDPR-related, nothing is straight-forward. Here’s a rundown on the latest implications.
CNIL’s case against Google:
Burying privacy terms so that users have to click five or six times to find details on for example, how their location data is used — and that Google has conflated multiple processing purposes to use personal data to target ads.
95,000: Number of GDPR complaints received by data protection authorities since last May.
42,000: Number of data breach notifications received by DPAs.
€50 million: ($57 million): size of fine French DPA has levied.
Jan. 22: The date the Irish DPA was made the official lead GDPR supervisory for Google’s European operations.
15: Number of statutory investigations open at the Irish DPA, and filed against multinational technology companies. None of these include Google, according to the regulator.
It’s all in the timing
CNIL moved quickly to make its verdict ahead of a key bump in the road: the Irish DPA attaining sole power over the decision of whether to fine Google for breaching GDPR. That’s an authority the Irish DPA was only granted on Jan. 22, the day after the CNIL revealed it had fined Google for violating the law. In GDPR speak, this is known as a “one-stop-shop mechanism” and was put in place so that any business with cross-border operations would only need to deal with one lead DPA — and, in theory, avoid any further confusion. It meant that Google’s U.S. entity was responsible for processing EU user data, whereas now its Irish unit will do so. CNIL headed this off in its announcement, stating that it began investigations long before Google’s one-stop shop mechanism was applicable. All in all, clever timing by the French regulator.
With 28 different member states in the European Union, each with its own national DPA, alignment on the law’s enforcement was always going to be messy. But according to the European Data Protection Board — the body established to ensure consistency and a joined-up approach among the different DPAs of the European Union’s 28 DPAs — as of Jan. 22 the Irish DPA’s Google verdicts are the ones to watch.
“For any potential GDPR violation taking place once Google has a main establishment in the EU, the relevant lead supervisory authority will be the only one, in principle, to take coercive measure against Google,” said an EDPB spokeswoman.
DPA jurisdiction is a minefield
So far, it’s only France’s regulator that has come out with a clear verdict and proposed a penalty for Google. The ICO has confirmed it is liaising with other DPAs in other countries, to discuss the CNIL verdict. The ICO has not confirmed whether or not it will align with CNIL and fine Google, although it has stipulated it is reviewing complaints people have made against Google.
Since the Irish DPA only gained lead regulator for Google in Europe on Jan. 22, the CNIL verdict will stand. But there is a question mark over which and how many DPAs have the right to fine Google in the future.
A spokeswoman for the Irish DPA said that it has received complaints against Google, but that it currently has no plans to investigate the tech giant. However, although the Irish DPA has, in theory, the lead position, other DPAs can still contest its verdicts with relation to Google, according to the EDPB spokeswoman. Any DPA can challenge the decision made by another, and the same goes for the Irish DPA. Should that occur, the decision would then be kicked up to the EDPB, which would facilitate the discussion among the various DPAs.
In other words, should the Irish DPA decide not to fine Google for any proposed GDPR violation, it could be challenged by the other DPAs — who would then discuss it en masse and likely agree to some kind of compromise.
Honeymoon is over
While the majority of GDPR warnings and fines have come from the French regulator, it won’t likely remain that way. The ICO’s decision to look into the CNIL verdict, along with the momentum of various privacy activists continuing to lodge complaints will continue to build, according to publishing and ad tech executives.
“Publishers should be OK, but ad tech vendors should be worried,” said an ad tech executive who spoke anonymously. “They’re [publishers] not mining people’s profiles and using that data to target people across the web. It’s other ad tech vendors that should be worried. And it looks like CNIL has emboldened other DPAs across Europe.”
How agencies are shaping the future of DEI beyond their own walls
Agencies are acknowledging that diversity efforts don’t stop with their companies. In addition to improving employee representation, now agency efforts in diversity, equity and inclusion are aimed at supporting clients and external partners.
Newsletter publishers say they continue to see uptick in revenue despite advertising slowdown
At a time when larger media companies are feeling the pressure of the economic downturn and advertising slowdown, newsletter businesses continue to be in a period of revenue growth.
TikTok’s CEO faces bipartisan skepticism in first Congressional hearing on security concerns
The hearing comes amid calls to remove TikTok from government devices and in some cases even ban it entirely.
SponsoredHow advertisers are leveraging omnichannel attribution and measurement to power CTV
Sponsored by MNTN Connected TV advertising has joined and expanded the larger ecosystem of campaigns that advertisers deploy. As such, omnichannel marketing strategies now encompass television and mobile devices, tablets and other screens such as out-of-home. And as customers engage across these different touchpoints, brands are seeking and moving their measurement and analytics efforts to […]
Media Briefing: What to expect at the Digiday Publishing Summit
As DPS draws nearer, top pain points for publishers are coming to light.
New app launches through Apple hoping to win with ‘zero-party data’ when others haven’t
Caden's new app lets users connect data from their Uber, Amazon, Netflix and other accounts in exchange for money. Will it take off?