Following in the wake of the GDPR announcement in May 2018, 2019 has started with some of the world’s largest companies being innvestigated for breaches in the new regulation. As part of the General Data Protection Regulation, customers had the right to access an easy to understand copy of the personal data companies had stored, as well as information about who the data was shared with. Streaming service providers including Google, Apple and Spotify have been reported for breaches in regulation, as although in some cases their data was accessible, it was in a raw format, nonsensical or challenging to find.
It was reported that two non-profit privacy groups, ‘None of your business’ (noyb) and La Quadrature du Net had filed complaints to regulators regarding Google and 10 other tech giants just days after the GDPR was announced last year. Subsequently, on the 21st of January 2019 Google were handed a record-breaking fine of €50 million by the French data regulator, The National Commission on Informatics and Liberty (CNIL), due to breaches in their GDPR obligation. This is the first time one of the tech giants has been fined for such a break and sets a future precedent for more. Although the fine may seem sizeable, the maximum fine that can be levied against a firm is €20 million or 4% of annual global turnover, resulting in a potential fine of billions for the largest firms, far higher than the previous limit of £500,000 under the UK Data protection act which Facebook were hit with during the Cambridge Analytica scandal.
Although Googles European arm is based in Ireland, the French watchdog processed the fine as their Irish counterparts were said to lack the decision-making power to be able to do so. When asked, CNIL specified that the fines were a result of a “lack of transparency, inadequate information and lack of valid consent regarding the ads personalisation” relating to the use of personal data on the Google search engine as well as on Google maps and YouTube.
It is possible that due to Googles status as one of the world’s largest companies, and one that relies heavily on personal data for advertising, they have been targeted first in order to set a precedent for other companies who have not taken the new regulation seriously. Given Google’s first quarter turnover of $31 billion dollars in 2018, it is unlikely that the €50 million fine will have much of an impact on them. However, Google’s US operations are based in California where they are intending on implementing similar data protection laws to GDPR and could cause further issues, leading to further fines for the firm and its Silicon Valley colleagues.
Given that at the same time Google was reported, complaints were also made against Facebook along with various other firms, it will be interesting to see who else is fined next.