Latest News
GDPR compliance for business has remained firmly on the agenda since the regulation came into force in May 2018. It has rarely been far from the headlines, and businesses across Europe have had to pay close attention to how they collect, store and manage personal data.
Several high-profile cases have already been brought under GDPR, most notably the £44 million fine issued against Google in January 2019. However, that was not the first GDPR penalty, and it is unlikely to be the last.
The Google case attracted particular attention because of the company’s size and influence. Google has built much of its business around the use of data to improve and personalise online experiences. For that reason, the fine raised a wider question. It was not only about what the decision meant for Google, but also about what it might signal for businesses around the world.
Under GDPR, businesses dealing with European consumers must make sure they have adequate permission to collect, manage and store sensitive information. In addition, consumers have the right to be forgotten. This means they can ask a business to retrieve and remove the personal information it holds on them. If an organisation fails to meet these requirements, it risks breaching GDPR.
The potential penalties are severe. Fines for data breaches can reach up to 4% of a company’s global annual turnover. Viewed in that context, Google may have escaped a much larger penalty. Four per cent of its annual turnover would have meant a fine of around £3 billion rather than the £44 million it received.
The French regulator CNIL criticised Google on two main points. First, it found that Google did not provide enough transparency about how it processed user data. Second, it found that Google did not obtain valid legal consent for targeted advertising. CNIL also concluded that Google’s process for allowing users to opt out of targeted advertising was neither specific nor unambiguous.
The EU may have moved first on serious data protection law, but other countries are likely to follow. The world is becoming more digitally connected each year. As that happens, personal data becomes more valuable, and the way businesses protect it becomes more important.
Pressure has already been building in the United States for a national privacy law and for stronger federal rules on how companies collect and use data. Over time, legislation of this kind may become a basic requirement for entering the market. Businesses may also begin to compete on trust, presenting themselves as careful and responsible custodians of the data entrusted to them.
Ultimately, the Google penalty is unlikely to be an isolated case. It points to a broader direction of travel. Privacy regulation is here to stay, and the way businesses handle customer and user data will only become more important.
Copyright © 2024 · All Rights Reserved · MobiCode