Georgetown Law
Technology Review

The Growing Concern Over Data Privacy

Individual data privacy is and has been a global concern for much of the 21st century. Should anyone need convincing, it is estimated that Google processes over 40,000 searches per second. Internet searches generally occur through a web browser run via a local computing environment. It may seem completely innocuous to query a search engine or visit a webpage on your computer; but some form of personal data is probably collected when those tasks are performed.

Data enters the realm of personalness in two general ways: (1) via the propensity to be traced back to a specific person, regardless of how derivatively (i.e. IP address); and (2) when the data contains information that is specific or unique to an individual (i.e. search engine history, passwords). These broad categories highlight the fact that personal data exists in many forms. This fact, coupled with the copious gateways to collect personal data, is at the center of the global concern over data privacy.

Given the increasing number of avenues from which personal data may be collected, regulators and lawmakers in many countries have sought means to formally protect it. A notable manifestation of means employed to enforce data protection is the European Union’s General Data Protection Regulation (“GDPR”). The GDPR regulates the processing of persons’ data by individuals, companies, and other entities. This regulation is partly aimed at precluding purveyors of digital technology from unfairly interacting with consumer data. Violations that pertain to this aim are part of the reason that the GDPR is currently at the forefront of global technology news.

The Investigation and Fine

In January, 2019, French regulator CNIL (Commission nationale de l’informatique et des libertés) issued a $57 million fine to Google for violating GDPR rules. This penalty is both the first involving a U.S. based technology company, and the largest to date under the GDPR. Google allegedly used consumer data, sans GDPR compliant consent, to curate personalized ads for users. CNIL detailed its investigation in a January 21, 2019 statement.

CNIL asserts that the fine imposed on Google is derived from two complaints that were submitted for CNIL’s review in May of 2018. One of the complaints included a 10,000 signature petition mandating the French advocacy group La Quadrature du Net to refer the matter to CNIL. The complaints accused Google of not having a valid legal basis to process users’ data in connection with ads personalization.

Upon receipt and validation of the complaints, CNIL took steps to satisfy the procedural and administrative requirements of the GDPR and began its investigation. The investigation reportedly concluded with a finding that Google violated its obligations of (1) transparency and information, and (2) user assent to ads personalization processing. CNIL’s reasoning behind these conclusions is below.

Lack of Transparency and Information. CNIL states that the extent of Google’s data processing operations are enigmatic to users, and that those operations are “massive and intrusive”. CNIL also states that Google’s purposes for collecting data are described in a manner that is too vague for users to reasonably comprehend.

Lack of Assent to Ads Personalization. CNIL concedes that Google acquires user permission to process data for ads personalization. They however aver that the consent is not validly obtained. CNIL rests this averment on two premises. Firstly, that the documentation Google provides is distributed among several documents, which dilutes the information. Secondly, that the consent collected by Google is neither “specific” nor “unambiguous”.

Impact on Google and the Rest of the Tech World?

It is important to note that ads personalization is one of Google’s monetized business lines. The financial consequences that flow outward from the GDPR fine could thus be deeper than the fine itself. The foregoing statement is in no way intended to diminish the breadth of a $57 million fine. That said, the GDPR violations may prompt Google to alter its consumer interactions for both internet ads and other product lines. One might theorize the potential financial and corresponding economic ramifications that might be triggered by the fine. This however would be pure conjecture without, inter alia, substantial data on the finances and product life cycles of Google. In forecasting impact, it should also be noted that proceedings surrounding the fine are still in progress.

Google announced its intent to seek recourse via appeal on January 23, 2019. One might argue that regardless of the outcome, the damage has been done. That even if Google wins the appeal; the mere possibility of a tech giant being responsible for a fine of this magnitude will change how technology companies interact with consumer data. That argument is not without merit. The most successful business often plan ahead, and act preventatively. Google isn’t the only company with ads personalization products. Furthermore, Google and other tech companies have other products that might similarly violate the GDPR. The fine under discussion evinces the willingness of European regulators to enforce the GDPR against U.S. based companies. Whether Google wins the appeal or not, this fine arguably has put the tech world on notice that the GDPR is here to stay, and should be taken seriously.