UPDATE: January 23, 2019: Google plans to appeal the $57 million fine imposed by French regulators, the company said in a statement Wednesday.
"We've worked hard to create a GDPR consent process for personalised ads that is as transparent and straightforward as possible, based on regulatory guidance and user experience testing," according to a statement from a Google spokesperson.
"We're also concerned about the impact of this ruling on publishers, original content creators and tech companies in Europe and beyond. For all these reasons, we've now decided to appeal."
After eight quiet months from regulators, Google earned the first major fine under the European Union's General Data Protection Regulation.
On Monday, the Commission Nationale de l'Informatique et des Libertés (CNIL), a French administrative body for data protection regulations, imposed a $57 million fine on the company for practices related to the Android operating system and account creation during mobile device configuration.
The size of the penalty is "justified by the severity of the infringements observed regarding the essential principles of the GDPR: transparency, information and consent," CNIL wrote in its announcement.
The regulator laid out two areas in which Google was failing to meet GDPR standards:
Information relating to what data was being collected, why it was being processed and how long it would be stored was not easily accessible, sometimes requiring five to six steps for users to locate. Once located, information was not always presented in a clear or comprehensive manner, inhibiting user understanding of Google's processing operations for ad personalization.
Consent obtained from users for data processing was not sufficiently informed and was not "specific" or "unambiguous." Users were not aware of the extent of data processing, and consent was not obtained for each distinct processing operation.
The kickoff to what is sure to be a hefty trail of fines for data processing practices is significant in its own right. But the Google case also demonstrates the new power of digital rights groups and the complex jurisdictions of European regulators.
Yet the fine has been criticized by some as a money-making play by regulators without clear motivations, turning the first major penalty from a teaching moment to a worry-inducing one.
A Google spokesperson said the company is "studying the decision to determine our next steps." The company noted that "people expect high standards of transparency and control from us. We're deeply committed to meeting those expectations and the consent requirements of the GDPR."
It was the French regulator's first application of the young data protection regulation, as well as the first major GDPR fine handed down by any European regulator. Earlier GDPR fines ranged from around $6,000 to $23,000.
"The world has been on tenterhooks waiting for the first major fine to be enforced for a breach of the GDPR — and this week they got what they were waiting for," wrote Jean-Michel Franco, senior director of data governance products at Talend, in a statement to CIO Dive.
Regulators can fine companies up to 4% of annual global revenue for GDPR violations. While $57 million is a relatively small sum for a global technology company that pulled in more than $97.5 billion in revenue across the first three quarters of 2018, it is significantly more than the company would have been fined under previous regulations.
Prior to GDPR, the maximum penalty French regulators could impose on an organization was around $340,000, according to Franco. Facebook was fined around $650,000 for the Cambridge Analytica scandal by the United Kingdom's Information Commissioner's Office; by comparison, this GDPR fine "is a game changer."
It takes a village to raise a fine
NOYB is an Austrian digital rights nonprofit launched by privacy activist Max Schrems in 2017 with the dedicated mission of identifying and litigating data protection violations. La Quadrature du Net is a French nonprofit dedicated to internet rights and freedoms, including online privacy.
GDPR stipulates that data subjects can mandate consumer protection bodies to bring claims on their behalf. Nongovernmental organizations, such as the ones involved in the Google case, can file complaints on behalf of thousands of individuals — and benefit from widespread media coverage and regulators' close attention, Franco said.
Privacy International, for example, recently filed complaints against data brokers to French, Irish and British regulators. Earlier this month regulators confirmed they are looking into the data reselling and processing activities of these organizations.
In which country a case is handled can be a complex matter. GDPR's "one-stop-shop mechanism" stipulates that an organization in the European Union will have only one administrator, the Data Protection Authority of whichever country holds the organization's "main establishment."
Google's headquarters sit in Ireland. The company was scheduled to establish these headquarters as the primary service provider and controller for most of Google's consumer services in the European Economic Area and Switzerland — putting it firmly under the Irish DPA's authority.
The change was scheduled for January 22 — the day after CNIL handed down its fine.
Cases with cross-border processing demand coordination with other DPAs before handing down a decision. When CNIL began investigating the complaints on June 1, it coordinated with other European DPAs, including the Irish one, to establish whether the French body would be the lead authority for the case.
When the proceedings began, the Irish DPA did not have decision-making power for the operations in question, so CNIL handled the violation, carrying out inspections in September to verify the company's compliance.
There's always a 'but'
After eight relatively quiet months, rumors were circulating that harder GDPR enforcement action was just around the corner.
"Until this point, data protection authorities have been incredibly patient with companies," said Anurag Kahol, CTO and co-founder of Bitglass, in a statement provided to CIO Dive. "However, it seems this grace period is more or less passing."
While Google can easily absorb the penalty, other businesses likely will not be able to do so as easily, he said. With this case potentially paving the way for new penalties, "this instance should be a wakeup call for organizations everywhere to begin taking data privacy far more seriously."
Some experts worried that, without major action coming down the line, organizations would stop taking the regulation so seriously and let compliance fall to the wayside.
Companies that are still not compliant should be worried: Consumers are feeling more empowered and putting pressure on regulators and businesses through individual complaints and group actions, Franco said.
"The added pressures of Brexit and data sovereignty issues add extra elements of concern to an already complex data landscape," he said. "Businesses must do more to regain the trust of their data subjects and be aware that they risk very significant fines and further reputational damage in the event of noncompliance — both of which could prove potentially fatal to businesses."
But some experts have been wary of CNIL's decision. Each penalty and fine regulators hand down is a learning moment, but little information on how the regulator determined the fine can add confusion.
"As an executive on the outside looking in, it seems like an underfunded agency looking for a way to get paid," said George Gerchow, chief security officer at Sumo Logic, in a statement provided to CIO Dive. "It will be super interesting to see if Google pays it, or fights just on principle and to stop other agencies from coming after them and the rest of us."
Jonathan Bensen, interim CISO at Balbix, reiterated that GDPR fines are a way for regulators to make a lot of money. Regulators across the EU remain underfunded and understaffed, making GDPR enforcement more difficult to carry out.
CNIL imposed a fine without offering a solution to the problem, and "it is dangerous to react without understanding the entire situation in order to identify the real issues and recommend ways in which to solve them," Bensen said.
Decoupling account creation during mobile device setup can limit users' experience with technology.
"While it is possible to run an Android phone without a Google account, it makes it almost unusable," Bensen said. "The same argument can be made about iPhones and needing an account with Apple. You can run the phone without one, but it severely limits the capabilities of the device."
Alex Stamos, former CSO of Facebook, chimed in on Twitter with the complaint that it is "very hard to find a European advertiser who lives up to these standards. Maybe they are just starting with the biggest, but if CNIL doesn't fine any EU-based ad networks in the coming months we know GDPR is about competition policy, not privacy."
Figuring out how content is paid for online and privacy issues around ad networks, trackers, analytics and other systems is difficult, he added. "One way to avoid dealing with that conflict is to use GDPR as a PR tool against US companies."