A record fine for Google in Europe is raising the stakes for U.S. tech companies and regulators over how they address privacy practices.
Google was hit with a $57 million fine, the largest yet leveled under a sweeping new European data law, the General Data Protection Regulation (GDPR). The fine is meager compared to Google’s bottom line, but the law allows regulators to ramp up penalties up to 4 percent of their annual global revenue. For Google’s parent company Alphabet, that could amount to a $4 billion hit.
{mosads}For Google and its Silicon Valley peers, the fine is being seen as a wake-up call that Europe is ready to challenge them on their data practices. And in the U.S., it’s raising pressure on American regulators to follow suit and toughen their oversight of tech giants.
Privacy advocates who believe that Big Tech hasn’t done enough to comply with the new law hailed the fine because regulators ruled that some of Google’s foundational data collection and advertising practices are illegal. They see the fine as a clear sign of tougher actions ahead from Europe’s data authorities.
“We are very pleased that for the first time a European data protection authority is using the possibilities of GDPR to punish clear violations of the law,” said Max Schrems, a privacy activist with the group None of Your Business, which filed the complaint that led to the fine.
“Following the introduction of GDPR, we have found that large corporations such as Google simply ‘interpret the law differently’ and have often only superficially adapted their products,” Schrems added. “It is important that the authorities make it clear that simply claiming to be compliant is not enough.”
In a statement, a spokesperson for Google said it was reviewing the decision to “determine our next steps.”
“People expect high standards of transparency and control from us,” the spokesperson said. “We’re deeply committed to meeting those expectations and the consent requirements of the GDPR.”
Privacy activists in the U.S. are hoping regulators and lawmakers here take heed of Europe’s example.
Caitriona Fitzgerald, the chief technology officer and policy director at the Electronic Privacy Information Center, said that the enforcement action from the French data authority CNIL sends a signal to Google and others in Silicon Valley. Fitzgerald said the action also offers a clear blueprint for how authorities on this side of the Atlantic should police internet giants.
“It’s hard to say how much you have to fine Google to hurt them, but it’s stronger than anything we’ve seen here in the U.S.,” Fitzgerald told The Hill. “I think U.S. consumers should ask why the FTC [Federal Trade Commission] is failing to act against these tech companies.”
The fine comes as Congress is inching toward a comprehensive privacy bill that would implement the nation’s first overarching data protection rules. It also arrives as the FTC investigates whether Facebook violated a 2011 consent agreement in its handling of the Cambridge Analytica scandal.
The tech industry’s critics in Congress and in the privacy world have grown increasingly impatient with the FTC, which they believe is ill-equipped to take on the role of a U.S. data privacy watchdog and has so far failed to use its existing authority to rein in internet giants.
Privacy advocates said the fine on Google highlights the difference between the U.S. and European approaches to policing the industry.
The fine on Google came just eight months after GDPR went into effect in May. Meanwhile, the FTC has remained silent about its Facebook probe, which has been underway since March.
“This decision ratchets up the pressure on the FTC to show that it has the guts to take on Facebook and Google,” said Jeffrey Chester, the executive director of the Center for Digital Democracy. “It’s the same practices and the same companies and yet they are fearful of taking a stand.”
A spokesman for the FTC did not respond when asked for comment. The government shutdown has rendered the agency largely unoperational.
Critics have called on Congress to follow Europe’s lead by creating a new federal agency solely dedicated to protecting user privacy. They say the FTC is a relatively small agency with limited authority that extends to policing companies for deceptive business practices. Critics say the U.S. would be better off with a watchdog with the resources and mandate to ensure companies don’t abuse user data.
“Almost every democratic country in the world has an authority focused on data protection so the U.S. is kind of alone in that regard,” Fitzgerald said.
It’s unclear when Congress will come up with a set of rules for the U.S. market, but some lawmakers and tech critics believe that Europe has set the benchmark for cracking down on the industry with Monday’s fine.
That is likely to leave both the tech industry and its domestic regulators scrambling.
“Google finally beginning to face accountability in Europe for its blatant disregard for data privacy,” Sen. Richard Blumenthal (D-Conn.) wrote in a tweet. “The days of Google & Big Tech running unchecked in America must also quickly come to an end.”