Skip to main content

The first real test of GDPR

Image Credit: Shutterstock (Image credit: Wright Studio / Shutterstock)

The fine issued to Google by France’s data protection regulator, is the first significant fine to one of the large tech giants, for failing to comply with Europe’s general data protection regulation (GDPR).  

GDPR was designed to increase the protection for all EU citizens, eliminate confusion by harmonizing the many data privacy laws and change businesses approach to personal data by introducing explicit transparency. It came into effect on May 25th 2018 and is the biggest change in data protection laws for 20 years, replacing the Data Protection Directive of 1995. Importantly, its impact is not restricted to EU organisations, but it will have implications for any company in the world that holds data on the continent or on any individual living in the EU – hence the fine issued to Google. 

Considering some of the data related breach’s that individuals have experienced in the past, GDPR is welcomed as great news for individuals, however it may present some complex challenges for companies. Particularly since any organisation found in breach of the new directive could face fines up to €20,000,000 euros, or up to 4% of the company's profits from the previous year, whichever number is higher.

Enforcement of GDPR

Generally, the EU is notoriously slow at both legislating and at enforcing its rules.  However, since it took effect in May 2018 three enforcement actions were issued that same year.

  • October 2018 - a local business in Austria was fined €4,800 for a CCTV camera that captured video from a public space, more than was necessary.  
  • November 2018 - In Germany, a social media platform was fined €20,000 for data storage practices, as opposed to a full breach because they were storing user passwords in plain text without hashing.  
  • December 2018 - The most significant fine under GDPR in 2018 was a Hospital near Lisbon, Portugal.  They were fined €400,00 because Staff at the hospital used bogus accounts to access patient records.

We all know that the ICO issued fines to both Facebook and Uber in 2018 after GDPR went into effect.  However, both incidents occurred before the new ruling and thus there were only fined €500,000 and €385,000 respectively. Paltry sums considering the fact that a company like Facebook made $13.2 billion in revenue in the first quarter of 2018 and the figure could have been far higher if the breaches had occurred after the GDPR came into force, as Information Commissioner Elizabeth Denham explained

“We considered these contraventions to be so serious we imposed the maximum penalty under the previous legislation. The fine would inevitably have been significantly higher under the GDPR,"

So this means that Googles fine of €50,000,000 issued in January 2019 was the first issued to one of the large tech giants after GDPR went into effect.  We cannot ignore the significance of this because there is an unsaid but generally accepted view, that GDPR was prompted by concerns, that the tech giants like Google and Facebook, could abuse their power with the limitless collection of people’s personal data.  One would think therefore, that on the face of it, these tech giants would have the most work to do in order to comply. 

Image Credit: Pixabay

Image Credit: Pixabay (Image credit: Image Credit: TheDigitalArtist / Pixabay)

Effects of GDPR on SMBs

Ironically, the new regulations, seem to have ended up hurting smaller firms rather than the Googles and Facebooks of this world, contrary to EU officials’ expectations.  Evan Spiegel CEO of Snap is known to have said, “There are times in history when regulation has actually entrenched big companies because they’re the most capable of complying…”  and Mark Zuckerberg, Facebooks CEO, echoed the same sentiment to the U.S. Congress.

Complying with GDPR may be a little onerous for companies that don’t have the financial or engineering resources of Facebook or Google.  Companies can expect to pay between $1m and $10m (According to a range of online sources) in order to make the necessary changes and comply with GDPR. 

Despite this, the real test of GDPR would come when complaints are raised against the tech giants and whether or not the new rules would be enforced. The extent of this test is further amplified by the notion that some people believe that the large technology organisations may be too big to take down, an important parallel to the banks labelled too big to fail after the 2008 financial crisis and subsequently getting away with not fully complying. Chairman of NYOB, the organisation that logged the google complaint said “Following the introduction of GDPR, we have found that large corporations such as Google simply ‘interpret the law differently’ and have often only superficially adapted their products.” 

EU makes Google an example

Several complaints have been logged against Google in late 2018 and now that they have actually been issued a fine by France’s regulator due to a lack of transparency and consent in advertising personalization, as well as a pre-checked option to personalize ads. This is potentially sending a wakeup call to all of the tech giants.

I must note that it only marks the beginning, the fine is nowhere near as big as the maximum 4% of annual global turn over and true to form, despite issuing the statement that the company is “deeply committed to meeting the high standards of transparency and control that people expect of it”, they have also announced that they plan to appeal the fine appeal the fine.

It is really interesting to see what happens next. GDPR does still feel like a work in progress and its ultimate effectiveness will depend on how well it is enforced on the tech giants and on whether it will succeed in forcing them to adhere to the regulations.

Mike Bugembe, Chief Analytics Officer at Just Giving