EU takes a stand on data protection with Google fine

Regulators in Europe sent a clear signal about how strictly they will enforce the bloc’s General Data Protection Regulation with a €50 million ($57.2 million) fine against Alphabet Inc.’s Google, and risk managers and other stakeholders should heed the warning and closely examine their privacy and data protection policies and processes, particularly in the area of informed consent for the use of personal information, experts say.

The Commission Nationale de l'Informatique et des Libertés in France received complaints about Google immediately after the GDPR took effect in May 2018 and launched an investigation, the regulator said Jan. 21.

The investigation uncovered two types of GDPR breaches: a violation of the obligations of transparency and information because the information provided by Google is not easily accessible to users and not always clear or comprehensive; and a violation of the obligation to have a legal basis for ads personalization processes because user consent is not sufficiently informed and the collected consent is neither “specific” nor “unambiguous,” according to the regulator.

“Were they just targeting Google because it’s an American company or a large company?” said Daniel Castro, Washington, D.C.-based director of the Center for Data Innovation, which formulates and promotes public policies designed to maximize the benefits of data-driven innovation in the public and private sectors. “It doesn’t seem like Google was doing anything that different than any of the other companies, large and small, that are collecting and using data online and have been actively trying to comply with GDPR. The GDPR is this really complex, lengthy set of requirements and those requirements are not very clear and they’re even contradictory. A company like Google has invested a lot of money into trying to meet this standard.”

This is the first time CNIL applied the new sanction limits provided by the GDPR — up to 4% of annual revenue for the most serious breaches — and the regulator said the amount and the publicity of the fine were justified by the severity and ongoing nature of the GDPR violations.

“It’s not surprising that one of the first fines came against a company like a Google,” said Teri Cotton Santos, a compliance and risk management consultant with Hoffman-Barnes Risk Management Consulting in Chicago and co-author of a Risk & Insurance Management Society Inc. report on the California Consumer Privacy Act, which features some GDPR-like provisions. “They’re huge. They manage a lot of data, and some people think — and I think there may be some truth to this — the GDPR was actually written to address some of the concerns about companies like Google and Facebook that have such large amounts of consumer data. I do think the fines that were announced were intended to get the corporate community’s attention and convey seriousness of this issue on the part of the European regulators.”

“In the grand scheme of things, $57 million is a big number,” said Paul King, Dallas-based senior vice president and national technical solutions practice leader for USI Insurance Services LLC. “For Google or Alphabet overall, it’s not really that big of a number, but it represents something as far as a fine goes that is a watershed moment.”

Google has vowed to appeal. “We’ve worked hard to create a GDPR consent process for personalized ads that is as transparent and straightforward as possible, based on regulatory guidance and user experience testing,” a Google spokesperson said in a statement Wednesday. “We’re also concerned about the impact of this ruling on publishers, original content creators and tech companies in Europe and beyond.”

But an appeal will be “real uphill battle,” said Laura Clark Fey, privacy law specialist and principal with Fey LLC based in Leawood, Kansas.

“Google is one of the companies that for some time has received a lot of scrutiny in the EU, in particular for their privacy practices,” she said. “There are data protection authorities in the EU who have talked about going after U.S. tech giants. On top of that … when you look at the GDPR obligations on their face and you look at the factual assertions within the opinion, there are some legitimate issues that are raised.”

Twitter Inc.’s lead regulator in the European Union, the Irish Data Protection Commissioner, said on Friday it was investigating the company for a breach notification received from the social networking site, while Dutch authorities commissioned a general data protection impact assessment on the processing of data about the use of the Microsoft Office software in 2018. But aside from the major tech giants, companies in other sectors such as advertising and marketing or retail are also vulnerable to GDPR enforcement, experts say.

“Sometimes there’s a sense that EU regulators are only going to focus on big companies like Facebook and Google. And although I think large tech companies like Facebook and Google will certainly continue to be under a microscope, you will also see enforcement actions taken against smaller companies and those without a European presence who are doing business in the EU,” Ms. Fey said. “Some companies may have the sense ‘we don’t have to worry about the GDPR since we don’t have locations in the EU.’ I think it would be wise for them to still look at their GDPR obligations if they are processing EU personal data.”

Risk managers and their companies should already have the right controls in place but must ensure the controls are working as intended and there are no gaps, particularly in the area of informed consent, Ms. Santos said.

“Under the GDPR, consent is hard to obtain,” Ms. Fey said. “There are multiple factors you have to meet to have valid consent, specifically that the consent be unambiguous. CNIL is making very clear that when they say they want the consent to be specific, they mean it.”

For example, if users do not receive transparent notice of privacy practices until after an application is already downloaded and the data collection has already started, that does not constitute valid informed consent, according to the regulators’ stance.

“Make sure your privacy notice meets those obligations set forth in the GDPR, but also is transparent and easy to get to,” Ms. Fey said.

Risk managers should also be checking their cyber and other insurance policies because some older forms do not contemplate causes of action, such as the right to be forgotten, featured in the GDPR, Mr. King said.

While Google is “a big headline and a nice scalp, even if they are going to appeal,” the significant jump in the fine levied compared with previous GDPR fines and the lengthy investigation indicate that regulators will bring more enforcement actions in 2019, Mr. King said.