When the European Union’s massive data privacy regulation went into effect last May, companies dealing in EU residents’ data had a big question yet to be answered: How vigorously would it be enforced?
Now, with Google facing an eight-figure fine and major streaming services facing new complaints, companies are getting a better sense of what’s at stake if they’re found noncompliant with the General Data Protection Regulation, or GDPR. But still more questions remain, such as when the EU will come after smaller multinational companies for GDPR violations and which European data regulators might come knocking when that happens.
On Jan. 21, Google was fined about $57 million for what a French data protection authority called a lack of transparency, information and user consent regarding how the company personalizes ads. The fine — the first that a U.S. tech company has been issued under the GDPR — stemmed from a complaint filed against Google on May 25, the day the regulation took effect.
Adopted in 2016, the GDPR imposes a host of requirements on companies that collect or process EU residents’ personal data. The French data protection authority, CNIL, found Google to have violated the regulation’s “genuine consent” requirement, under which a user must explicitly opt in to having his or her data shared. Google disclosed to users how it would process their data, according to CNIL, but it spread that information across several online documents, making “the relevant information … accessible after several steps only, implying sometimes up to five or six actions.”