The data protection authority of France, the CNIL, assessed the first penalty against a US company, Google, on January 21, 2019. The penalty, 50,000,000 Euro, was levied on the basis that Google’s information regarding its practices and the way in which it obtained user consent was not clear and unambiguous. This should surprise no one who has ever tried to view or change privacy settings on an Android phone or a Gmail account.
Nor is it a surprise that the French, vigilant for many years in protecting privacy, would issue the first penalty. After all, its data protection authority is the Centre Nationale de l’informatique et des libertes. Roughly translated into English, the CNIL is the National Commission on Informatics (data) and Liberty. Yes, they conflate a person’s data rights with his or her freedoms. This is the theme behind the law under which the penalty was assessed, the General Data Protection Regulation, or “GDPR” (EU 2016/679). This law applies to US companies who sell or market goods and services to EU residents, or track the on-line behavior of EU residents, (for example, through “cookies”).
This is the first shot fired in what will no doubt be a lengthy GDPR war that EU countries will wage in the name of basic digital rights protections for its residents. The penalties, which can reach as high as 4% of annual revenue, may be much higher as supervisory authorities of other countries consider other Google practices, such as the questionable ability of a user to effectively turn off location tracking.
If you have questions regarding applicability of the GDPR to your organization, or the requirements of the GDPR, please contact Kenneth N. Rashbaum.