It's the regulatory version of Y2K, they said. It's there to appease all the privacy advocates, they insisted. It'll never result in any fines, some suggested.
And when Europe's General Data Protection Regulation went into effect last May, the general response of U.S. corporations could be described as ranging from curiosity to total apathy. One thing I never heard anyone express when the subject of the GDPR came up was fear.
Yeah, about that. The GDPR — the long-debated, oft-derided, and much anticipated privacy safeguard that had, for several months, been making all of those skeptics look smart — finally showed its teeth this month, and the target is a doozy: Google.
On Jan. 21, French privacy regulator CNIL (the French acronym for the nation's National Data Protection Commission) cited the GDPR in slapping Google with a $57 million fine for "lack of transparency, inadequate information and lack of valid consent regarding the ads personalization."
The fine stems from complaints CNIL received last year from Austrian privacy advocacy group None of Your Business and French digital rights advocacy group La Quadrature du Net, both of which contended that Google didn't have a legal basis for processing users' personal data for the purpose of personalizing ads.
Of course, this raises the question: $57 million? The GDPR is written so that offenders can be fined up to 4 percent of their annual revenue, which in Google's case would translate to a fine well in excess of $3 billion. So what gives? According to an Information Age report, while the fine was assessed against Google Inc., the decision was addressed to Google France, which had revenue of about $370 million. Again, the math doesn't add up, so CNIL might have some more explaining to do there, but the bottom line, according to privacy-watchers, is that Google has been caught with its proverbial pants down, and that it has been intentionally deceptive with its privacy practices.
"They built their entire business model on a house of cards," said U.K. privacy attorney Abigail Dubiniecki. "They can’t say they have consent, so they have no lawful basis to use this data."
While Google clearly represents a splashy first test case for the GDPR, more big tech names should expect to finfd themselves in the GDPR's crosshairs. A recent piece in the Independent called the fine the "tip of the iceberg," with a number of experts weighing in with cautionary statements about what they expect to come.
"The penalty imposed on Google by the French regulator can be seen as a warning shot at the digital industry at large," said Ron Moscona, a privacy rights attorney and partner at international law firm Dorsey & Whitney. "After many years of under-enforcement, regulators in the EU are prepared to use GDPR and flex their muscles."
The Independent piece goes on to suggests that companies such as Amazon, Apple and Facebook could be in line for GDPR fines. Naturally, the GDPR's reach could extend to any company that's holding consumer data, but the big names in tech that have turned harvesting of and capitalizing on consumer data into an art form are a logical place to start.
In a case of interesting timing, the fine comes just a couple of weeks after a report from King's College London Cyber Security Research Group proposed that the U.K. government (and, by implication, all national governments) publicly identify and shame companies who fail to adequately protect consumer data. The authors argue that outing companies in this way would incentivize them to shore up their cyber defenses and avoid additional public embarrassment.
While this already happens to those companies that suffer breaches that make the headlines, Tim Stevens, one of the report's authors, told Forbes that the goal of any program that would identify offenders shouldn't be to harm companies' reputations, but rather to get companies to be more proactive.
"No one really wants to have to do this," Stevens said. "The hope is that organizations will want to pursue better cyber security anyway."
Alas, we've been hearing that hope, or very similar ones, for a long time. Yet, huge, publicly disclosed breaches haven't done much to move the needle. Nor has the theft of hundreds of millions of consumers' private data from organizations such as Experian, Target and Yahoo, not to mention the substantial revenue hits that have resulted from mitigation efforts related to those breaches.
And while $57 million may not be much to Google, if this first fine really is the tip of the iceberg, then there's no telling how big that iceberg is, and thus how large future fines might climb. Maybe, just maybe, the GDPR represents something that will deliver on that hope. If nothing else, it's certainly gotten the tech industry's attention.