The fine is the fourth for Google under the European Union’s strict privacy law and the second highest in value after the 50 million euro penalty (then 57 million US dollars). the company was hit in France in 2019. Other countries to sanction the tech giant include: Sweden and Belgium.
The slow pace of the Irish Data Protection Commission (DPC), Google’s main watchdog, has been appalled by the Irish Data Protection Commission’s slowness to close two pending cross-border complaints against the company over online auctions. real time and how it uses personal data to deliver advertising, as well as its use of location data.
Experts provide differing views on why Google and other tech companies have fared relatively lightly.
“Perhaps an easy answer would be that they weren’t found to be breaking the law,” said Nigel Jones, co-founder of Privacy Compliance Hub.
The real answer may be “more nuanced,” Jones added. European data regulators have tended to educate rather than penalize because “they have to make sure they are on a solid legal footing if they want to impose fines. It requires resources, and the fact is that Google’s resources far outweigh any regulator’s resources,” he said.
“To be realistic, for a company the size of Google, fines won’t necessarily be the best way to achieve positive improvements. »
Will Richmond-Coggan, Director, Freeths
According to Jones, another reason could be that Google – unlike some tech companies – has tended to take a dovish approach with the Irish regulator and other DPAs on practices that may violate GDPR, meaning that “it there will have been a back and forth dialogue between the company and the regulator throughout this time”.
The move has already paid off: Google has amicably resolved a cross-border complaint to the Irish DPC over YouTube content involving a child, for example.
Ryan Gracey, chief technology officer and partner at law firm Gordons, said the reason big tech companies have received relatively few fines to date is due to the nature of potential GDPR breaches.
“Big tech investigations have tended to cover up their own misuse of personal data to gain financial and competitive advantages, such as Google’s lack of transparency on how their personal data is used, while other industries where we we’ve seen a higher frequency of fines, like telecoms, involve data breaches related to mass disclosure of personal information,” Gracey said.
The former, Gracey said, “are difficult, complex and time-consuming for regulators to investigate, understand and take action,” while the latter “are much simpler” because the regulator can easily identify the violation, consider aggravating and mitigating factors, and then issue a proportionate fine.
Experts added that part of the challenge of Big Tech regulation is a lack of transparency about what companies do, which makes it harder to know what is being done. Another issue is the efforts of these companies to strengthen their legal teams.
Flavia Kenyon, a lawyer at law firm The 36 Group, cited the failure of GDPR enforcement powers and the coyness of regulators as other problems.
She believes that the GDPR one-stop-shop mechanism is “not fit for purpose” and “does not address data protection issues affecting millions of internet users across Europe”.
The Irish DPC’s inaction played a role in the European Commission’s passage of proposed Big Tech antitrust legislation to tackle the misuse of personal data, privacy and data monopolies. data, as well as to “reassert the Commission’s digital sovereignty through another legislative avenue,” she said. The Digital Markets Act would give national regulators the ability to impose fines of up to 10% of global turnover for infringements.
Will Richmond-Coggan, director and data protection litigation specialist at law firm Freeths, noted that fines are just one tool available to enforcers under the GDPR. “To be realistic, for a company the size of Google, fines won’t necessarily be the best way to achieve positive improvements,” he said.
The UK’s Information Commissioner’s Office, for example, did not fine Google’s DeepMind project over its unauthorized use of personal medical data in a research initiative. but took the opportunity to establish guidelines on how these data projects should be set up and operated in the future to ensure compliance.
Richmond-Coggan challenged the idea that big tech companies have “emerged from the light” in the European Union. They have been the recipients of a substantial amount of regulatory activity and received some of the most significant penalties under the GDPR, he noted.
Furthermore, the international data transfer landscape has been completely reshaped by a series of legal challenges against Meta/Facebook by privacy activist Max Schrems, which has put data protection and compliance at the forefront. of the activities of technology companies, said Richmond-Coggan.