Will Google respond to GDPR fine with a cheque or an army of lawyers?

23 Jan 2019

Image: © Svensen/Stock.adobe.com

After being hit with a €50m GDPR fine, Google is studying its next steps and its response could set the tone for the future of data in Europe.

“It’s just a tax on data,” a learned neighbour of mine opined on the news that Google has been hit with a €50m fine by French data regulator CNIL (Commission Nationale de l’Informatique et des Libertés), one of the first mega-fines to be applied under Europe’s tough new GDPR (General Data Protection Regulation) rules.

Behind the seemingly flippant comment is a niggling kernel of possibility: tech giants such as Google and Facebook, with their seemingly bottomless pits of cash, could just assume that such fines will become the order of business du jour and write them into their annual budgets.

‘Beyond Google, how many other firms and fines will be making GDPR headlines in 2019, and will European tech firms get the same treatment? The real news will be what comes next’

Then again, companies such as these also know that a lot rides upon public sentiment and, as former Google executive chair Eric Schmidt told journalists in Kerry in 2009, if people stop trusting the company then that is it, lights out.

Rather than write a cheque, Google may very well appeal the decision to save face.

The heart of this particular case was allegations that Google failed to comply with GDPR in instances where Android users set up a new phone and followed the Android onboarding process. CNIL ruled that Google was guilty of breaking EU privacy laws by failing to obtain adequate consent from users when processing their data for the purpose of personalised advertising. Under GDPR rules, EU regulators can fine companies as much as €20m or 4pc of their turnover, whichever is highest.

Could Facebook be next internet giant to get GDPR fine?

But that brings us on to the next elephant in the room, Facebook, which is currently engaged in a supreme court appeal over transatlantic shipments of data to the US. 2018 was a horrible year for Facebook in terms of breaches and scandals such as Cambridge Analytica. Could it be next to face the wrath of GDPR?

Infosec analyst Dermot Williams from Threatscape believes that the fines under GDPR will indeed be taken very seriously by the companies. “I doubt regulators view this is [as] some sort of toll to be extracted from tech giants; their goal is to modify their behaviour, not tax their activities.

“SMEs and corporates may not handle anything like the volumes of data Google do, but they need to be aware that the rules apply to them just the same and that they should get their GDPR house in order if they’ve not already done so.”

Williams said that it was always going to be a coin toss over which mega-firm would first feel the bite of GDPR, Google or Facebook. He reasons that there surely must already be ongoing investigations into Facebook in at least one EU jurisdiction.

“It is possible that Facebook not receiving a GDPR fine yet is merely an indication that any investigations are proving more complex, and their infringements more serious. If and when they do get their first GDPR fine, it could be substantial; they are unlikely to be clicking the ‘like’ button.”

Williams believes we are only on the opening pages of a new chapter in the data protection narrative of Europe. “Since GDPR came into effect last year, there has been a lot of speculation about how harshly regulators might handle the first enforcement cases. Would they merely dispense an admonishment or modest fine along with a stern warning that further transgressions would not receive such leniency? Was there the political will to fine companies the eye-watering 2pc to 4pc of global turnover which GDPR allows for?

“With a turnover in excess of $100bn, Google could have been fined billions of dollars were their infringement deemed sufficiently extreme, so, while a €50m fine will attract headlines, it is at the lower end of possible penalties given their size. What would have been a terminal blow to many is for Google a rounding error.

“Until more details emerge, we won’t know if there has already been robust dialogue behind the scenes. Has Google accepted the regulator’s interpretation of the regulations and agreed to amend their data-gathering procedures and disclosure notices? Will they respond with a cheque or an army of lawyers? Do regulators view this as case closed, or an opening salvo in their attempts to bring the tech giant to heel?

“And, beyond Google, how many other firms and fines will be making GDPR headlines in 2019, and will European tech firms get the same treatment? The real news will be what comes next.”

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years