France’s multimillion-dollar fine against Alphabet Inc.'s Google may end up as a benchmark for other EU privacy regulators if they decide to sanction big U.S. tech companies for alleged violations of the bloc’s sweeping privacy law.
France’s privacy office, the CNIL, hit Google with a 50 million euro ($56.7 million) fine Jan. 21 for allegedly violating the EU’s General Data Protection Regulation. Google is appealing the penalty.
If Google is unsuccessful, the French fine may nudge other data protection authorities to inflict substantial penalties on tech companies if they discover broad GDPR violations, privacy attorneys told Bloomberg Law. Regulators will determine the size of any fine based on the facts of each case, but EU data authorities are likely to look at the CNIL’s decision as a baseline for future enforcement, they said.
The enforcement action “may well set a trend in more aggressive fines,” Rafi Azim-Khan, partner and head of data privacy, Europe at Pillsbury Winthrop Shaw Pittman in London, told Bloomberg Law. Other privacy offices have already given the maximum fine under the old regime, but the “days of a slap on the wrist are now done, and it highlights how the GDPR needs to be taken seriously,” he said.
EU regulators will likely look to Google’s French fine as a “starting point,” Cynthia Cole, special counsel at Baker Botts LLP, told Bloomberg Law. France “set the floor” for broad GDPR fines, and other enforcement agencies may be “emboldened to go further,” she said.
Google could have faced a fine up to four percent of its annual revenue under the General Data Protection Regulation.
It’ll be hard for other EU regulators to assess lesser fines than the French regulator did for similar GDPR offenses and penalties “can only go up,” Cole said.
The privacy fine also puts Google and other tech companies that may see enforcement on notice to not repeat its actions, Joseph Jerome, policy counsel at the Center for Democracy and Technology’s privacy & data project, told Bloomberg Law. The CNIL has “left things open to come back and see how Google remediates” the alleged privacy violation, he said.
Google didn’t immediately respond to Bloomberg Law’s requests for comment. CNIL said it couldn’t comment on the appeal since it’s in the trial stage.
Google will start its appeal by trying to convince the French Council of State that it didn’t violate its GDPR obligations. If the company isn’t successful there, it could go to the Court of Justice for the European Union, attorneys say.
The search giant will likely try to show that it met the transparency requirements under the GDPR, Sonia Cisse Head of Linklaters TMT Practice in Paris and managing associate, said in an email. The French court may “consider that the information provided by Google, even though it is spread across several documents, is transparent enough because it is sufficiently accessible, clear and understandable,” she said.
Google may also challenge whether the CNIL had the jurisdictional authority to issue the fine.
“Google could first question the procedural aspects of the decision with a particular focus on the CNIL’s competence,” Cisse said, referring to the jurisdiction question. The company may try to show that its Irish operation “was its main establishment in the European Union (EU) at the time of the CNIL’s investigations,” she said.
A Google victory may help tech companies that are possibly facing their own GDPR penalties, privacy attorneys said.
“Should Google’s practices regarding transparency, information and consent be eventually deemed compatible with the GDPR, this would then provide useful information regarding which practices are concretely acceptable in this respect,” Cisse said. Such a decision would “support the position of various tech companies with similar business models, where these are challenged by supervisory authorities,” she said.
EU privacy officials see the France’s penalty as a sign of things to come.
“As we have been saying, people should not by default be required to accept the dominant business model of tracking, profiling and targeting,” Giovanni Buttarelli, the European Data Protection Supervisor, said in an email statement to Bloomberg Law. “This is a significant step in showing that data protection must become a reality on the ground, not just just a slogan,” Buttarelli said.
Each country may take a different approach to enforcement because each regulator can interpret the GDPR’s provisions differently, privacy attorneys said.
Each data protection authority also has a different “enforcement culture,” Gabriela Zanfir-Fortuna, policy counsel at the Future of Privacy Forum who formerly worked for the European Data Protection Supervisor in Brussels, told Bloomberg Law. Over time, though, their practice will start converging, she said.
“In any case, CNIL’s fine is perhaps the public nudge other regulators needed in order to step up the proceedings opened last year that they are currently dealing with,” Zanfir-Fortuna said.