European regulators have fined Google and its parent company Alphabet €50 million in response to a complaint filed on May 25, 2018 saying that Google failed to meet the requirements of the GDPR in regard to its privacy practices. In this case, the complaint was in regard to the company’s Android mobile software, and it claimed that Google was not transparent with how the company used customer data and was not getting proper consent in how the company used customer data in its ad network.
The complaint against Google was the first major action filed under the GDPR, taking place on the same day that the European privacy regulation took effect. However, other large U.S. companies, notably Facebook, Amazon, Netflix and Spotify, have also had complaints filed against them by European privacy advocates. The Facebook filing happened at the same time as Google; many observers expect an even larger fine there.
Of course Facebook has privacy problems that extend far beyond the GDPR. A number of sources report that the Federal Trade Commission is about to fine Facebook for privacy violations in the U.S. as well. Facebook is already dealing with problems in Europe created by its relationship with Cambridge Analytica, which has already been fined for GDPR violations.
U.S. Companies Not Immune to GDPR Fines
While 50 million Euros is basically petty cash for Google parent Alphabet, it’s enough money to get the attention of other U.S. companies doing business in Europe. The message it’s sending is that U.S. companies aren’t immune from GDPR regulations if they do business in Europe, and it means that EU authorities aren’t afraid to fine U.S. companies.
In a related action, Austrian lawyer Max Schrems, who runs an advocacy organization called “noyb” (for none of your business) has filed complaints that several organizations, including Google and Facebook, require users to agree to give up their privacy as a condition for using the service. Such a linkage is prohibited in EU regulations.
The risk to U.S. companies that aren’t the size of Google or Facebook is that European regulators appear to be focusing their biggest guns on Americans. The CNIL (Commission Nationale de l’Informatique et des Libertés), which is the French privacy regulator, also found that Google’s efforts to comply with the GDPR aren’t adequate because of the vast amount of data held by the company makes it likely that such data would be linked in ways that additional privacy information can be inferred.
Other large companies with equally vast amounts of data would have similar problems and will likely find that they are also fined on that basis. In a statement by CNIL, the regulators note that continuing violations are obvious with Google, and it’s not a one-time or limited infringement, nor is it limited only to Android. This means that Google will have to find a way to satisfy the privacy regulators in Europe, or find themselves with an increasing level of fines. Those fines can be as high as four percent of a company’s gross revenue, which with Google would be substantial, with its 2017 revenue of $111 billion.
Firms Must Pay Attention to Privacy Requirements
What this means to other companies is that it’s critical to make certain that they’re meeting all of the requirements of the GDPR if they do business in Europe. This doesn’t mean they can’t sell products or services to Europeans, but it does mean that they have to pay attention to privacy requirements if they are doing more than occasional sales via their websites. It does not mean that they have to block their websites to Europeans, but it does mean that they need to be careful what information they collect.
Advice to U.S companies:
- Make absolutely certain that you don’t collect any information from anyone in Europe that you don’t actually need to perform the service or to sell the products that you’re selling.
- Ensure that you provide an advance notice of what information you’re collecting, why you’re collecting it, and how long you will keep it. Make sure that they can opt out where possible. This means that you can request a delivery and billing address if you sell something, but you can’t hang on to that information without specific permission.
- Be prepared to provide absolutely every piece of information of any kind that you hold on an EU citizen upon request, and be prepared to delete everything that you’re not legally required to preserve.
- Don’t use anything that might appear from an online transaction for marketing, no matter how tempting. This includes that person’s personal information, their location, their IP address or email address or even the metadata that comes with it.
- If you plan to do business regularly in the EU, then hire a privacy consultant that can help you stay in compliance.
- Take advantage of the many help files, web pages and other material provided by the EU that are designed to show you specifically what’s allowed and to help you do it right.
It’s important to know that the Europeans are serious about their privacy, and if you look at their history, you can see why. They specifically don’t want any central repository of personal information that’s available to anyone, including U.S. companies or even their own governments.
The price they paid in the 1930s and ‘40s was too high for them ever to want to risk that again.