Google is to appeal its record General Data Protection Regulation (GDPR) fine, a move that could see some key aspects of the EU’s privacy law tested in the courts.
On 21 January 2019, France’s data protection regulator, the Commission Nationale de l’information et des Liberties (known by the acronym CNIL), hit Google with a EUR 50 million fine for breaching the GDPR. The enforcement action centred on the technology company’s collection and use of customer data for personalised online advertising, which some argue amounts to ‘forced consent’.
CNIL says users were “not sufficiently informed” about how the US technology company collected and processed data.
Google is appealing the CNIL fine, arguing that its consent process for personalised ads is as “transparent and straightforward as possible, based on regulatory guidance and user experience testing”.
The technology group is likely to use the enforcement action to test the French regulator’s interpretation of consent under the GDPR, as it goes to the heart of its business model. CNIL’s decision could be challenged initially in French court, but potentially at the EU’s highest court, the Court of Justice, in Luxembourg too.
Given that the GDPR is not prescriptive, many aspects of the rules are open to interpretation by regulators and companies. Each privacy complaint and data breach could provide much needed clarity on a wide range of issues including; consent, data breach notification criteria and the way regulators calculate penalties. Another area of uncertainty is the insurability of GDPR fines. Cyber insurance can cover fines to the extent it is insurable by law, however, regulators in many jurisdictions have yet to offer guidance on this point.
Under the EU’s data protection rules, the EUR 50 million fine is easily the largest yet, although it is still well below the maximum allowed under the GDPR. Implemented in May 2018, the GDPR gives regulators the power to levy fines of up to EUR 20 million, or up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
For a severe breach of the GDPR, CNIL could have theoretically hit a company the size of Google with a fine of almost EUR 4 billion.
Around 91 fines were imposed under the new GDPR in its first eight months, according to a recent study by DLA Piper. In January, the Portuguese data protection regulator fined a healthcare provider EUR 400,000 for breaching the GDPR, the largest fine at the time.
In Germany, a EUR 20,000 fine was imposed on a company for a security breach. While in January, Germany imposed a fine of EUR 80,000 for a health data breach.
Google’s fine is also far higher than CNIL penalties under the old data protection regime - in 2018 CNIL fined French retailer, the Optical Center, EUR 250,000 and Uber EUR 400,000; while in January 2019, it fined Bouygues Telecom EUR 250,000.
expect More fines
During the first eight months of the GDPR there were more than 59,000 personal data breaches notified to regulators, suggesting that many firms have heeded the new breach notifications rules, according to DLA Piper.
The Netherlands, Germany and the UK recorded the most data breaches notified to supervisory authorities, with around 15,400, 12,600 and 10,600, respectively.
It is still very early days for GDPR enforcement, with only a handful of fines reported to date.
With the exception of the recent EUR 50 million fine imposed on Google, the levels of fines so far have been low, relative to the maximum fines regulators can now impose, according to DLA.
The law firm expects, however, that 2019 will see more fines for tens and potentially even hundreds of millions of euros, as regulators deal with the backlog of GDPR data breach notifications.
This record fine sends a strong message to companies that hold or process data on EU citizens. Initially, European data protection regulators appeared willing to give companies some leeway as they adapted to life under the GDPR. Almost one year on and regulators seem more willing to use their new powers against, not just EU organisations, but also companies based outside the EU.
The CNIL’s enforcement action also demonstrates EU regulators’ willingness to pursue privacy, as well as data breaches. A number of large technology companies face similar complaints across Europe, including pending regulatory decisions by the CNIL.
As implemented in France, the GDPR enables employee and consumer representative bodies to lodge a GDPR complaint on behalf of groups of data subjects.
On the very day the GDPR was implemented, consumer group None Of Your Business (Noyb) filed four complaints against Facebook, Instagram, WhatsApp and Google, questioning the compliance of their terms and conditions with the GDPR.
Shortly after, consumer representative group, La Quadrature du Net (LQDN), filed similar complaints with the CNIL against Google. The UK’s Information Commissioner’s Office (ICO) is reportedly working with other regulators following complaints lodged with the regulator over Google’s practices under the GDPR.
Talk to an expert
For further information, please contact Sarah Stephens, Head of Cyber /Technology E&O on +44 (0)20 3394 0486