On January 22nd, French regulators imposed the first GDPR fine on Google, amounting to 50 million euros (about 57 million US dollars) —— this is the first major implementation of the US technology giant since the 2018 GDPR regulations came into effect. Punishment. The root cause of the penalty is that Google did not correctly disclose to Android users how their data was collected and pushed the user to illegally push personalized ads.
How did Google make a mistake?
Origin of things
CNIL is the French National Information and Communication Commission (French Data Protection Regulator), and its official website gives an information point. On May 25 and 28, 2018, CNIL received a group complaint from a non-business organization (NOYB) and an ad rights organization La Quadrature du Net (LQDN). The LQDN was forced by 10,000 to submit the “this matter” to CNIL.
Both complaints allege that Google has no valid legal basis to process the personal data of its service users, especially for the purpose of advertising personalization.
CNIL's official website "fine notice”
CNIL handles complaints
CNIL immediately began investigating complaints. On June 1, 2018, CNIL sent these two complaints to its European counterparts to assess whether it had the authority to deal with the incident, in accordance with the European cooperation provisions set out in the GDPR. It should be noted here that GDPR establishes a one-stop service mechanism, which stipulates that only one interlocutor should be established in a business organization established in the EU. This interlocutor is the data protection regulatory agency (DPA) of the country where the organization is located.
Since Google's European headquarters is in Ireland, when France wants to investigate this matter, it must involve cross-border issues, and it also means coordinating cooperation between other data protection agencies.
But in fact, because Google Ireland’s headquarters does not have any decision-making power on the Android operating system and Google’s service handling during the account creation process, the country’s data protection regulators have no way of dealing with it, which means The one-stop service mechanism does not apply at this time —— CNIL has the right to make any penalties for Google's processing operations on the phone.
In September 2018, CNIL launched an online survey again to verify that Google's implementation of the processing is in compliance with the French Data Protection Act and GDPR by analyzing the user's browsing patterns.
CNIL observed violations
During the inspection process, CNIL found that Google violated new privacy rules in two key areas.
First, users are not able to easily access information provided by Google due to their breach of transparency and information.
What is the specific? When a user logs in to Google, personalized ads will appear on the page in turn, and the user must click the button and link multiple times (5-6 times) in order to access the next step in order to access the relevant information. In addition, some user data does not provide information about the retention period. This actually means that if the user does not passively accept the advertisement, the service will not be available (it looks like a lot of software in the country).
Second, it violates the obligation to provide a legal basis for the personalization of advertising.
Although Google says it has the user’s consent to process the data for personalized advertising. However, CNIL believes that for two reasons, Google cannot "effective"
First of all, the user's "agree" is not fully informed. For example, Google diluted the ads and spread them across Google Search, You tube, Google homepage, Google Maps, Playstore, and Google Images, and personal information was over-promoted in multiple files (20 expected).
CNIL believes that GDPR is not respected because GDPR stipulates that consent is only “when specific consent is given for each purpose.”
How did the 50 million euro fine come out?
The reason why this fine has attracted widespread attention is not only that the subject of punishment is the world-wide Internet giant Google, but also because it is the most severely fined GOPR since its birth. Earlier, GDPR initiated several small fines:
In December 2018, a Portuguese hospital was fined 400,000 euros after its staff used a false account to access patient records;
In November 2018, German social media was fined 20,000 euros for storing social media passwords in plain text;
In October 2018, a local Austrian company was fined 4,800 euros for shooting security cameras in public spaces.
CNIL's early adopters have made GDPR widely effective. CNIL believes that the fines for this decision and the promotion of fines are reasonable and give the following reasons:
This is not a one-time violation of GDPR by Google, but a continuous, long-term;
The purpose of the penalty is to require Google to implement the right of users to control their own information data, fully inform users of the risks, and allow users to effectively consent;
Considering the importance of the Android operating system in the French market, thousands of French people create a Google account every day when they use their smartphones, which has a big impact;
Google’s profit model is focused on advertising, so fines based on individualized advertising are justified.
GDPR opens the review of the Silicon Valley giants?
It is understood that GDPR was officially implemented in May 2018, introducing stricter rules for processing and storing personal data. The goal is to force large technology companies like Google to overhaul their user privacy policies, and EU-based rules require companies to fully disclose what they do to the data they collect and give their users more control over their information. Data breach incidents must be reported within 72 hours.
The fine from France may mean that GDPR has severely censored the Silicon Valley giants. After all, the EU has already penalized Apple’s tax practices and conducted multiple privacy scandals against Facebook on Google’s Android system. The alleged monopoly has imposed a fine of 4.34 billion euros.
Now, Google has eaten GDPR in Europe, and it is forcing other Silicon Valley colleagues to reconsider their risk-taking behavior.
The Washington Post believes that GDPR from Europe actually sets global privacy rules, while the United States lacks a similar, general federal consumer privacy law, which means that Europe has become the de facto world privacy police.
American group: & ldquo; We also have such a strong law & rdquo;!
For this penalty, Max Schrems, head of NOYB (no business organization), the non-profit organization that initiated the complaint, said: “We are very pleased that European data protection agencies have used the possibility of GDPR for the first time to punish obvious violations. The important thing is that just claiming compliance is not enough. ”
La Quadrature du Net, another group that initiated the complaint, believes that the fine is "very small" compared to Google's annual turnover. They want regulators to respond to other Google complaints as quickly as possible in order to make a fine of up to $4.7 billion.
Google earned $33.74 billion in Q3 in 2018
In response, Google said it was “resolving our next decision” and added: “People expect us to achieve high standards of transparency and control. We are firmly committed to meeting these expectations and the requirements of GDPR. “
For this fine, Google did not respond positively or not.
As the most important privacy and security regulator in the United States, FTC has failed to take action against technology companies for many years. At the moment, US consumer advocates are strongly encouraging US legislators to follow this footstep in Europe.
It is also worth mentioning that the front foot GDPR is fined, and Japan is keeping up with it. It intends to consider amending the law to implement the “secure confidentiality” regulations for overseas technology giants such as Google, Apple, Facebook and Amazon. Previously, the Indian data localization movement suffered strong resistance from the Silicon Valley giants.
Google "wrong", who will be the next one?