Google sign against blue sky
PHOTO: Paweł Czerwiński

Earlier this week, the CNIL — France’s data protection authority (DPA), which is responsible for monitoring and enforcing privacy rights in the country — fined Google $57 million, citing a lack of transparency and valid consent regarding the personalizing of its ads, as well as providing inadequate information.

In part, the fines were doled out because the CNIL determined that Google did not collect sufficient and unambiguous consent from consumers for its data collection activities, particularly as they pertain to Google’s personalization for its advertisements. A variety of services, websites and applications are involved and intertwined in these data collection processes — and the information about how the data is collected is spread across several documents. Because of this, it’s almost impossible under the current model for an end user to truly be aware of how their data is being used to make an informed choice consenting to the collection of their data.

How Google’s Fine Will Impact the Rest of Europe

Organizations around the world are holding their breath waiting for Google’s inevitable appeal — and the outcome of said appeal — as the decision has the potential to alter the way companies conduct their free, web-based platforms moving forward. It also has the potential to significantly impact the very nature of the relationships between these companies, their advertisers and consumers.

But perhaps of even greater significance is the fact that this decision was handed down by the CNIL — France’s DPA — and not Ireland’s DPA, which is Google’s lead data protection authority. This is key for two reasons:

  • Oftentimes, organizations like Google go to great lengths to select a DPA that will be most favorable to their business models as their lead DPAs. This decision would set the precedent that the DPAs of other countries can also hand down hefty fines — not just those that are the lead DPAs.
  • Organizations that may have been complacent in their focus on and compliance with GDPR thus far because they thought they would only be subject to their own country’s specific DPA may now be jeopardy of being hit with fines for failure to comply accordingly. For instance, many French organizations have only focused on complying with the CNIL’s guidelines, while several German companies have focused only on the historical actions brought by German DPAs.

Google’s $57 million fine this week illustrates that GDPR truly stretches across all of Europe. Furthermore, it also highlights the fact that every organization that provides goods and services — or does significant monitoring of European citizens — must be aware that they may be regulated by any DPA within the European Union. Because of this, “forum shopping” — or selecting the DPA that would be the most favorable to your business — may not be the best strategy to employ moving forward.

Related Article: GDPR Is Here. So What Comes Next?

How Google’s Fine Will Influence US Privacy Regulations

Of course, this Google decision handed down by the CNIL also has the potential to fundamentally change the world of online advertising as we know it today, due to the new regulations it could put in place regarding the collection of user data to personalize online ads. But beyond that, it may have widespread effects on a federal privacy regulation in the US, which many believe is inevitable in the near future.

Will the US take the same “privacy is centered on the individual” approach that Europe employed with GDPR? Or will America be more tolerant of the admittedly dubious behavior of companies looking to provide free products at the cost of collecting users’ personal information?

As Congress considers how it will regulate companies and bring enforcement actions against overt misuses of personal information, consumers may also need to influence companies in their technology purchase decisions. The existing privacy framework in the US and around the world — which is primarily based on notice, consent and choice — will need to be reexamined and reworked as new uses of data, AI and machine-to-machine communication becomes the norm.

The personal data and information that consumers disclose online will follow them around forever. They will be used by companies and people we know and consent to using our data, but also by strangers. How will what you disclose online today be perceived tomorrow, or next month, or years from now — not just by your friends and family, but also by your employers, the government and other strangers?

As of now, we can self-regulate ourselves by choosing not to use a company’s technology if we feel or know that the organization won’t protect our personal information. But if companies continue to circumvent their stated privacy policies, or those of other regulators, Congress will need to act to develop legislation to further protect consumers and create real consequences if organizations fail to comply.

Related Article: Is It Finally Time for a Federal Privacy Law?