Technology giant Google has lost its appeal over a €50m (£45m) fine that was levied by France’s data protection body, the Commission nationale de l'informatique et des libertés (CNIL), back in January last year.
At the time, the fine was the largest penalty that had been imposed so far under the General Data Protection Regulation (GDPR), which gives regulators the power to impose fines of up to 4% of global turnover or €20m, depending on which may be greater. This record was broken later in the year when the UK Information Commissioner’s Office (ICO) signalled its intent to fine British Airways and the Marriott hotel chain the sums of £184m and £99m, respectively. The process for these penalties is still ongoing after being delayed by the ICO, and they may well be ultimately reduced given that both these companies have been heavily affected by the COVID-19 pandemic.
The CNIL’s penalty against Google was based on two arguments. First, it claimed that Google’s consent gathering lacked sufficient transparency to enable users to make an informed choice. Secondly, and more importantly, it alleged that the company lacked a legal basis for using personal data in its advertising processes. Google quickly announced its intention to appeal the decision, announcing in a statement:
“We’ve worked hard to create a GDPR consent process for personalised ads that is as transparent and straightforward as possible, based on regulatory guidance and user experience testing. We’re also concerned about the impact of this ruling on publishers, original content creators and tech companies in Europe and beyond.”
Google’s appeal was based on jurisdiction, however. It claimed that because its European headquarters are located in Ireland, the Irish Data Protection Commission (DPC) should be heading any investigations into the company’s practices. This argument was rejected by the Conseil d’État (Council of State), which is the wing of the French Government that functions as the supreme court for administrative justice. A final decision on the matter is expected soon.
The Irish DPC also has active cross-border investigations into Google and a number of other large tech companies that have based themselves in the country. The complexity of these case has led to investigations taking much longer than expected, with the first decision about one of these cases, namely one concerning Twitter, being expected to be finalized in July.
The GDPR has been accused by some of being toothless, but given that it is still a relatively new piece of regulation, it is unsurprising that cases take a long time to resolve. This is especially true with technology companies, because their services often permeate through a number of different countries in which the legislation applies.
Despite the threat of large fines, however, the GDPR should also be embraced for the benefits it can bring to an organisation. At Pro-Networks, we regard it as a key pillar in our IT support and services, because compliance with GDPR and other standards helps bring about a culture of best practices, which in turn leads to better cybersecurity.