The French data protection regulator CNIL fined Google earlier this week, to the tune of £44 million. It’s the first serious fine that’s been issued by a European data protection authority under the EU’s new General Data Protection Regulation (GDPR) and it is, unarguably, a big deal – but not just for Google.
The fine has been levied for what the regulator calls a “breach of transparency and information obligations” and a “failure to provide a legal basis for advertising personalization treatments”.
What that means, in short language, is that the search giant did not let its users know in clear enough terms how it would be using their data, and did not make it easy enough for users to change data settings.
The case began on 25 May 2018 – which many readers may recognise as the day on which the GDPR came into force – when long-time Austrian privacy activist Max Schrems, through his non-profit NOYB, and French NGO La Quadrature du Net, complained to various European data protection authorities about Google.
You may be wondering what NOYB stands for. The acronym means None Of Your Business, and it’s a pretty pithy summary of how privacy activists like Max Schrems feel about companies like Google. Privacy is, under European law, a fundamental right, and in the view of advocates like Schrems, big tech companies are woefully infringing on that right.
And through this decision, it looks as though they may be winning this fight. Schrems has history taking the battle to the big boys – a quick scroll through his website will tell you all you need to know about his adventures giving big tech a bloody nose, and this win is no less significant.
The issue is, for those who pay attention to both sides of the battle, a fundamental difference in the way that data is viewed. For most businesses these days, it’s seen as a vital asset; essential to the business and as valuable as cold, hard cash.
But to the privacy advocates, it’s seen as something far more pure. It’s theirs, and theirs alone. Fears abound over government surveillance, corporations with few checks and balances, identity theft and more. Why, they ask, should we be forced to constantly hand over personal data – and it is a constant process – just so businesses can turn a greater profit?
Those privacy advocates would also argue that this battle is something that represents the gradual attrition of the internet’s initial promise. It was, when it began, a democracy of communication, where the power to control behaviour, spending and to decide what people read and said was taken away from the people and organisations that had traditionally held it.
When companies realised what could be done with the internet, these advocates argue, that promise was taken away, and replaced by a constant harvest of customer data in the pursuit of profit. Many of them would argue that it is too late to protect our data – it’s already gone. And so much of the internet and the companies that dominate it is predicated on data collection that it’s hard to imagine the web without it.
But the decision by CNIL – which, because of the way in which the GDPR is written, could be joined by other data authorities levying equally large penalties on the company – might mean that this tide is slowly being reversed.
It was just a matter of time before one of the big tech companies was hit with a big fine, but for many, it is quite a relief to see it actually happen. After years of headlines about huge fines, it has happened, and it has been shown that the GDPR does have teeth, and that the regulators are willing to bare them.
What’s important to note here is that Google has been fined for something it has actively done. That might sound like a fairly obvious point, but looking at the recent past, a lot of legal and regulatory activity around data protection and privacy has been around punishing companies for things that arguably happened to them.
The UK’s Information Commissioner’s Office – the British equivalent to CNIL – for instance, recently levied a fine against Equifax for failing to protect customers from a massive cyber attack. But Equifax, of course, did not choose for that cyber attack to happen. It may have made numerous mistakes that meant the attack was ultimately successful, but it was not the company’s choice.
In this case, however, the actions that led to the Google fine were Google’s own. In fact, the actions that led to the fine are arguably core tenets of Google’s business model. That sends a message out to all companies that use data (which is basically all of them), that they need to take a tough look in the mirror. Otherwise the results may not be pretty.