Last week, France’s data protection regulator, the National Data Protection Commission (NCIL), fined Google the largest amount to date under the EU’s General Data Protection Regulation (GDPR). While the €50 million ($56 million) penalty is the highest assessed against any organization thus far, the maximum fine could easily have numbered in the billions.
GDPR allows for maximum fines of 4% of a company’s annual global turnover, a punishment presumably reserved for only the most egregious or habitual offenders. But the Google ruling, as well as the other GDPR fines to date, may provide some insight into what to expect from DPAs when it comes to GDPR enforcement.
The CNIL determined that Google failed to properly obtain consent from consumers for personalized ads, made privacy information difficult to find, and the information they did provide was ambiguous and unclear. The commission concluded, “The amount decided, and the publicity of the fine, are justified by the severity of the infringements observed regarding the essential principles of the GDPR: transparency, information and consent.”
Google announced plans to appeal, stating that, “We’ve worked hard to create a GDPR consent process for personalized ads that is as transparent and straightforward as possible, based on regulatory guidance and user experience testing. We’re also concerned about the impact of this ruling on publishers, original content creators and tech companies in Europe and beyond. For all these reasons, we’ve now decided to appeal.”
It will be through rulings such as these, and the subsequent appeals, that the meanings of transparency, information and consent are better defined. Undoubtedly other tech companies anxiously await the next rulings, as the complaint against Google represents one of several filed on the day GDPR went into effect; the complaints again Facebook, Instagram, and WhatsApp are still pending. Subsequent complaints against Amazon, Apple, Netflix and other tech giants have also been filed.
If this case can be used as a measure, it seems clear that GDPR authorities have no intention of levying large fines on the basis of deep pockets, at least initially. But it will be interesting to see how those deep pocket organizations navigate the appeals process, and whether they prevail.
Less publicized, but also educational, were other early GDPR rulings from across the EU. The following may provide guidance on what we may expect as additional penalties are assessed.
Real World Privacy and Small Business
In September 2018, a betting shop owner was fined €4,800 by the Austrian Data Protection Authority (DPA) for illegal video surveillance. The owner installed a closed-circuit television (CCTV) camera in front of the store that captured a large area of the public sidewalk. Because the camera was not properly marked to indicate it was conducting video surveillance, and because large-scale monitoring of public spaces is not permitted under GDPR, the DPA levied this small fine.
This example illustrates the scope of the GDPR, from both the perspective of small business and real world privacy. We tend to think of GDPR solely in terms of data privacy and larger organizations, but this shows a privacy violation in a real world sense at a small establishment. Small business should not assume they are immune from GDPR compliance consequences; the DPAs will go wherever privacy complaints take them.
Protection of Personal Health Information
Prior to the Google fine, the largest penalty levied was in Portugal, where the DPA fined a hospital for three violations totaling €400,000. They determined that the hospital allowed indiscriminate access to confidential health information, failed to protect that data from unlawful access, and failed to ensure appropriate ongoing security adequate to the risk.
In levying a larger fine, the DPA considered the special category that health data enjoys and the level of risk to data subjects. Just as with U.S. law under HIPAA, the protection of personal health information is considered critical.
Also noteworthy is the fact that the fines came as a result of a media report rather than a complaint. DPA’s have full investigative authority to explore any potential GDPR compliance violations, and will not be limited to complaints received.
The Importance of Transparency
In November, the German social networking platform Knuddels.de was fined €20,000 for a data breach. Hackers obtained 808,000 user email addresses and more than 1.8 million user names and passwords, because they were stored in unencrypted plain text. In issuing the penalty, the German DPA indicated that because the site quickly implemented security improvements, cooperated with authorities, and immediately contacted users, this transparency was rewarded with a “relatively low” fine. The Baden-Württemberg DPA stated that it was “not interested in entering into a competition for the highest possible fines. In the end, it’s about improving privacy and data security for the users.”
Organizations should not underestimate the importance of their response to a potential violation. It may not only make a difference in terms of the monetary penalty, but may very well impact the consequences should there be any subsequent infractions in GDPR enforcement.
Many organizations feel they’ve cleared the bar for GDPR compliance, while others are still dragging their feet on clearing every GDPR hurdle. As more penalties are issued, it will become clear how strict the DPAs will be in issuing punishments and interpreting the regulation. The best way to inoculate an organization against potential fines and penalties is to implement an enterprise data intelligence platform with a framework built on data governance. An integrated solution that brings together data quality and analytics, and uses data governance to ensure GDPR compliance, will assure you know exactly where your sensitive data is located, and that the policies and processes are in place to properly manage access and usage. In addition, analytics can be layered in to create machine learning algorithms to find hidden data across the organization, identify integrity issues and find compliance gaps.
If you would like to learn more about GDPR compliance and data governance, download the white paper below.
For a deeper dive into this topic, visit our resource center. Here you will find a broad selection of content that represents the compiled wisdom, experience, and advice of our seasoned data experts and thought leaders.