French regulators’ decision to fine Google almost $57 million for violating the General Data Protection Regulation shows that the European Union is serious about coming after U.S. tech giants.
My colleague Tony Romm reported that yesterday’s fine is the first major penalty brought against a U.S. technology company for a violation of Europe’s data privacy regime that took effect in May 2018. France’s top privacy agency, known as CNIL, said Google ran afoul of the new rules when the company failed to properly disclose how users’ data was collected and did not obtain proper consent for personalized advertising.
This kind of tough enforcement of GDPR positions the European Union to set the bar on privacy globally. The ruling highlights the stark contrast between Europe’s strong new privacy regime and the absence of a federal privacy law in the United States — and aggressive enforcement could intensify calls among consumer advocates in the United States to grant Americans similarly robust privacy protections. Either way, the privacy crackdown means more pain for Silicon Valley.
The French fine could be the first of many European fines against American technology companies: The privacy activists who brought this GDPR complaint against Google have also filed complaints against Facebook and its subsidiaries Instagram and WhatsApp in other E.U. countries.
Estelle Massé, a data protection expert at the advocacy group Access Now, told my colleague James McAuley in Paris that the French ruling is “the first big signal” that Europe is willing to enforce GDPR. Other U.S. tech giants have engaged in similar practices, she said, creating the possibility that they may face their own fines. Many technology companies have lengthy and complicated privacy policies that critics say fall short of explaining to consumers how their data is being used.
“Google is not the only one doing this,” Massé said. “This is significant for Google as a company but also for other actors.”
David Heinemeier Hansson, the chief technology officer of the software firm Basecamp, tweeted that the ruling underscores that GDPR could challenge any technology company whose business model heavily relies on ad targeting:
He tweeted “If GDPR is actually going to be enforce like this going forward, and it’s not just a one-off French expedition, the entire business model of Google and Facebook as it pertains to using personal information for ad targeting is in doubt. ABOUT BLOODY TIME! What’s striking about this judgement is just how plainly the violations are detailed, and how clear it is that Google is not going to weasel out of compliance by evading informed consent by its normal tactics of obfuscation. This is a potential game changer for online privacy.”
There are other ways the E.U. is clamping down on U.S. technology giants. One of the toughest opponents of Silicon Valley’s growing power has been the E.U.’s top competition cop, Margarethe Vestager. She’s levied a record-setting antitrust fine against Google and scrutinized Apple and Facebook. The Associated Press reported that though her term ends this fall, she’s exploring ways to ensure regulation of U.S. technology companies continues after she leaves office. She is planning a new report to direct the E.U.’s competition policies in the digital era.
With this backdrop, many consumer advocates are wondering why the Federal Trade Commission – the United States’ top privacy and competition watchdog – hasn’t taken more action against technology giants.
Jeff Chester, the executive director of the Washington-based privacy advocacy nonprofit group Center for Digital Democracy, said that his organization and other groups have urged the FTC to examine Google for the same problems that the French regulator just addressed in its fine.
“Our FTC has had years to act – and there has been nothing done,” Chester said in an email. “Yet it only took the French privacy regulator a handful of months to decisively protect the public.”
As Congress plans to take on national privacy legislation this year, one of the key issues it will grapple with is whether the 104-year-old FTC is well equipped and has the resources to take on Silicon Valley behemoths. Several of the privacy bills that have been floated by Democrats include provisions to give the FTC greater authority and resources to address suspect data collection practices.
Consumer advocates and policymakers alike will be closely watching the outcome of an FTC investigation into Facebook in the wake of the Cambridge Analytica incident, in which the political consulting firm tied to Donald Trump’s campaign obtained Facebook users’ data without their consent. The Washington Post’s Tony Romm and Elizabeth Dwoskin reported on last week that the agency is considering bringing a record-breaking fine against the social network.
But as The Post’s Geoffrey Fowler noted, even a record-breaking fine could have little impact on the tech giant.