It was not the first such event, nor will it be the last. At 11:41 p.m. on January 20, 2019, the bright Austin night slipped into shadow as the full moon took on a deep crimson hue. The total lunar eclipse lasted only 62 minutes, but its effect on the landscape was remarkable. In past centuries, this would be a sign of change — a guidepost heeded by careful observers. Later that same day, an event of similar portent occurred: French data authority CNIL levied a penalty of 50 million euros ($57 million) against Google under the General Data Protection Regulation (GDPR).
CNIL found fault with Google on two fronts: a lack of transparency for how user data is processed and a lack of legal consent from users for targeted advertising. The process of understanding how users’ data is used, for example, is cumbersome:
“Essential information, such as the data processing purposes, the data storage periods or the categories of personal data used for the ads personalization, are excessively disseminated across several documents, with buttons and links on which it is required to click to access complementary information. The relevant information is accessible after several steps only, implying sometimes up to 5 or 6 actions. For instance, this is the case when a user wants to have complete information on his or her data collected for the personalization purposes or for the geo-tracking service.”
The process required in order to opt-out of targeted advertising was found to be similarly confusing: CNIL stated that “the collected consent is neither ‘specific’ nor ‘unambiguous’.”
Granted, the penalty for Google is not as severe as it could have been — with a maximum possible penalty of 4 percent of global revenue, that would be more than $4 billion. The exact amount of the penalty is not the key element here, however; more important is the growing number of penalties handed down by regulatory agencies. Since the first fine under GDPR was issued in Austria in October for €4,800, the financial costs have been rising: a German social-media company was fined €20,000 for mishandling of passwords and a Portuguese hospital was fined €400,000 for allowing non-medical staff access to patient medical records. Google is not merely the fourth in this recent run of fines, but it is also by far the largest.
And as the fines escalate, so does the power of GDPR and data privacy regulation— and not only in Europe. Pressure is mounting in the United States for a national privacy law: various privacy advocacy groups, several major corporations, and at least three U.S. Senators have all proposed different frameworks as a foundation for new federal regulation on how user data is collected and used. Legislation demanding that enterprises ensure the privacy of their users and employees will soon be a requirement to enter the marketplace, and businesses will soon market themselves as good stewards of the data with which they have been entrusted.
The latest penalty for GDPR violations is not the first such fine, nor will it be the last. But just like the celestial event of January 2019, it is a portent of what is to come: privacy regulation that has true power.