By George Gelinas
American tech companies are facing higher scrutiny in Europe. Apple Inc. is under antitrust investigation for its plans to acquire Shazam, German antitrust regulators probed Facebook, Inc. for having users waive control of personal information,[1]and Google LLC (“Google”) is in the middle of a legal battle with the European Union (“EU”) over antitrust fines for over $5 billion.[2] Now, French regulators have fined Google for violation of EU privacy laws.[3] According to the Commission Nationale de I’Informatique et des Libertés (“CNIL”), France’s privacy rights office, Google has violated “essential principles” of the EU’s General Data Protection Regulation (“GDPR”) such as “transparency, information, and consent.”[4] The implementation of GDPR marks a shift in the EU’s perception of responsibility when it comes to data protection.[5] In the past, regulators focused on organizations that were classified as “data controllers.”[6] However, as global economies became increasingly intertwined, EU member nations expressed concern that citizens’ personal data were being exploited without their knowledge or consent.[7]
Jan Phillip Albrecht, a member of European Parliament, praised the new regulation as a “fierce European ‘yes’ to strong consumer rights and competition in the digital age.”[8] The GDPR replaces the former data protection directive from 1995 and will give EU citizens more control over their private information by enforcing, among other things, a right to be forgotten, a clear and affirmative consent process, the right to transfer data to another service provider, and the right to be notified when data has been hacked.[9]
Google has announced that it will appeal the decision and maintains it made a good faith effort to create a GDPR consent process that is transparent and straightforward.[10] While Google users are able to modify their privacy settings when creating an account, the French regulators make it clear that the ability to modify settings is not enough.[11] Regulators point to Google’s default settings which permits personalized advertisements.[12]
Google’s most recent run-in with EU privacy laws is a likely sign of what is in store for other U.S. tech giants that commoditize online consumer behavior.[13]
It seems European privacy watchdogs are eager to play their role in enforcement of the new regulation. Investigations into Google started on May 25th– the day that the GDPR went
into effect.[14] Additional privacy complaints have been filed against Facebook and its subsidiaries Instagram and Whatsapp.[15]
Tech businesses and other organizations should closely follow Google’s appeal to learn how the EU interprets its guidelines. Companies looking to avoid penalties should make sure that they have comprehensive data privacy policies and procedures in place, and more importantly, be able to demonstrate that they follow their policies and procedures to prove compliance.[16]
[1]Sissi Cao, Why Tech’s ‘Big 4’ all faced antitrust probes in Europe, but not in the US, Observer(Feb. 15, 2018), https://observer.com/2018/02/eu-antitrust-probe-apple-amazon-facebook-google/.
[2]See generallyFoo Yun Chee, Europe hits Google with record $5 billion antitrust fine, appeal ahead, Reuters Business News(July 18, 2018), https://www.reuters.com/article/us-eu-google-antitrust/europe-hits-google-with-record-5-billion-antitrust-fine-appeal-ahead-idUSKBN1K80U8.
[3]Sara Merken and Daniel R. Stoller, Google to Fight $57 Million French Privacy Fine (1), Bloomberg Law(Jan. 23, 2019), https://news.bloomberglaw.com/privacy-and-data-security/google-to-fight-57-million-french-privacy-fine-1.
[4]Id.
[5]Shawn A. Morgan, Compliance Deadline is Here for EU Privacy Law, Total Security Daily Advisor (May 25, 2018), https://totalsecuritydailyadvisor.blr.com/policies-training/compliance-deadline-nears-eu-data-privacy-law/.
[6]Id.
[7]Id.
[8]Data protection reform – Parliament approves new rules for the digital era, European Parliament (Apr. 4, 2016), https://www.europarl.europa.eu/news/en/press-room/20160407IPR21776/data-protection-reform-parliament-approves-new-rules-fit-for-the-digital-era.
[9]Id.
[10]Tony Romm, France fines Google nearly $57 million for first major violation of new European privacy regime, Washington Post(Jan. 21, 2019), https://www.washingtonpost.com/world/europe/france-fines-google-nearly-57-million-for-first-major-violation-of-new-european-privacyregime/2019/01/21/89e7ee08-1d8f-11e9-a7592b8541bbbe20_story.html?noredirect=on&utm_term=.e9f212690baf.
[11]Id.
[12]Id.
[13]Morgan,supra note 4.
[14]Romm,supranote 9.
[15]Id.
[16]Id.
