Why Google's GDPR Fine and Appeal are Good for Enterprise IT

Despite the huge build up to the European Union's new data privacy rules, GDPR (General Data Protection Regulation), going into effect in May 2018, the deadline came and went without a lot of fanfare. The world did not end. Companies weren't shut down. There really hasn't been a lot of news about enforcement actions. But that changed this week when France's data protection authority, CNIL, imposed a fine of 50 million euros ($57 million) on Google.

The world still did not end. After all, a fine of $57 million is sort of the equivalent of pocket change to a company as big as Google. The tech giant posted nearly $111 billion in revenue for 2017 (and hasn’t yet announced 2018 full year revenue but revenue was nearly at $100 billion in just its first three quarters of 2018.)

In announcing the fines, CNIL said two organizations made complaints against Google, "for not having a valid legal basis to process the personal data of the users of its services, particularly for ads personalization purposes."

Google, for its part, said that it would appeal the fine.

"We’ve worked hard to create a GDPR consent process for personalized ads that is as transparent and straightforward as possible, based on regulatory guidance and user experience testing," a company spokesperson said in a statement emailed to InformationWeek.

"We’re also concerned about the impact of this ruling on publishers, original content creators and tech companies in Europe and beyond. For all these reasons, we've now decided to appeal."

As CNIL and Google dive into the appeal process, enterprise IT organizations will likely get a clearer idea of how GDPR will actually be applied in the real world to real cases.

For instance, the appeal will likely provide more detailed definitions as to what constitutes transparency when it comes to data collection.

Plenty of respected law firms and IT advisory firms have issued their own recommendations to clients about best practices for complying with GDPR. For instance, Gartner issued a 23-page report to provide guidance to its clients that were working to comply. Consultants have helped organizations walk through the process of coming into compliance. But there's really been no way to test whether that compliance is adequate other than with real world cases where fines are levied and appealed. There's no substitute for actual experience.

The Google case will provide that, and possibly other cases will do that, too.

Although CNIL just announced the Google fine this week, the authority began investigating the complaints against Google in June 2018, almost immediately after the new law went into effect. It's certainly possible that there are other investigations that are ongoing now, and that could eventually result in fines against other big companies that have their hands deep in consumer data.

Meanwhile, the issue of individual privacy and ownership of your own data has reached a new level of awareness among consumers, not just because of GDPR. Facebook's many data leaks have focused consumer and lawmaker attention on problems with the protection of consumer data privacy. Even executives at tech firms have recently been calling for new rules to protect people's data. That includes Apple CEO Tim Cook who wrote an OpEd piece for Time Magazine earlier this month calling on the US Congress to pass federal privacy legislation here that would be "a landmark package of reforms that protect and empower the consumer." The article built on a keynote address Cook delivered in October 2018 at a conference Data Protection and Privacy Commissioners in Europe.

For enterprise IT, both the Google appeal and the Apple executive push for greater privacy laws will provide greater clarity about what organizations need to do to protect privacy.

For more on data privacy read:

GDPR and the End of the World

How to Prepare for GDPR's Data Privacy Changes

Data Privacy: How to be Worthy of Consumer Trust

Protect Your Data Privacy Online: Top Experts Share Personal Stories