THE PRIVACY wars have begun in earnest. On January 21st France’s data-protection regulator, which is known by its French acronym, CNIL, announced that it had found Google’s data-collection practices to be in breach of the European Union’s new privacy law, the General Data Protection Regulation (GDPR). CNIL hit Google with a €50m ($57m) fine, the biggest yet levied under GDPR.
Google’s fault, said the regulator, had been its failure to be clear and transparent when gathering data from users. Signing up for a Google account on an Android phone means navigating a sea of documents eight-clicks-deep to understand what data about you Google is collecting.
So far, so technical, but the bigger picture is what matters. The fine represents the first volley fired by European regulators at the heart of the business model on which Google and many other online services are based, one which revolves around the frictionless collection of personal data about customers to create personalised advertising. It is the first time that the data practices behind Google’s advertising business, and thus those of a whole industry, have been deemed illegal.
Google says it will appeal against the ruling. Its argument will not be over whether consent is required to collect personal data—it agrees that it is—but what quality of consent counts as sufficient. It will be an argument about the placement of tick-boxes on web pages and the size of fonts in terms-and-conditions documents. This nitty-gritty of GDPR, the legal semantics of phrases like “informed consent”, will be decided through the courts, where GDPR will go from theoretical legislation to practical rules for running a digital empire.
This arcane wrangling will be important enough to the digital economy’s operation that the CNIL’s decision is likely to end up at the EU’s top court, the Court of Justice in Luxembourg. Google has already challenged one CNIL ruling, on the right to be forgotten, which obliges it to scrub some personal data from its services (the outcome of the tech giant’s appeal has not yet been decided).
All European regulators will need to tread carefully. For one thing, they face accusations of using GDPR to bash American technology companies partly out of envy at not having created any such giants themselves. Criticism along those lines was slung at the CNIL decision as soon as it was announced. An obvious way to avoid it would be to apply the same level of scrutiny to European adtech companies, of which there are plenty.
They must also avoid chasing only the biggest firms, despite the headline-generating potential. There are questions for the entire adtech ecosystem under GDPR, not just the Silicon Valley giants. The CNIL signalled that it will apply its regulatory power broadly when it fined an obscure French adtech company called Vectaury in October. Up to now the rules that underpin the digital economy have been written by Google, Facebook et al. But with this week’s fine that is starting to change.