The penalty was levied by the French National Data Protection Commission (CNIL) under GDPR, the European Union’s data protection law. The regulator alleged a “lack of transparency, inadequate information and lack of valid consent regarding” personalization of ads by Alphabet. The penalty was the result of two complaints and a subsequent investigation by the CNIL at Alphabet’s Irish headquarters, which determined that Alphabet made it too burdensome for consumers to identify and manage its use of personal information for targeted ads. Alphabet’s stock fell 2.59% on Tuesday.
The $57 million fine may be a drop in the bucket for Alphabet, which posted more than $110 billion in annual revenue in 2018. But the commission suggested that the penalties might not end there: “the violations are continuous breaches of the Regulation as they are still observed to date. It is not a one-off, time-limited, infringement,” the commission added in an announcement of the fine. And it could also portend further enforcement against the search giant, with increasing regulatory scrutiny into how it manages user data.
Other European regulators and governing bodies have shown a willingness to fine or otherwise slap liabilities on a certain narrow class of tech giants. For example, in December 2018 Italian authorities fined Facebook (FB – Get Report) approximately $11 million for misleading users on its data practices; In October 2018, a British regulator levied a smaller fine against Facebook for complaints related to the Cambridge Analytica scandal. The European Union is also weighing a new tax on digital advertising revenues targeted at Alphabet and Facebook, and French Economy Minister Bruno Le Maire recently announced plans to raise taxes on tech giants regardless of any new EU tax law.
How high can fines get for a company like Alphabet? The GDPR law permits fines of up to 4% of a company’s annual global revenue, which could mean billions. And some industry observers anticipate that the $57 million fine could be the first of many affecting advertising-based business models.
“This is really the starting bell for U.S. technology companies operating in an EU dominated by the GDPR — I’d expect this to be the beginning of many future fines and struggles, which will revolve around the core business model of companies like Google, Facebook and more,” said Andrew Burt of Immuta, which helps companies with data governance.
In a statement, Alphabet didn’t admit fault in responding to the commission’s charges, but said: “We’re deeply committed to meeting those expectations and the consent requirements of the GDPR. We’re studying the decision to determine our next steps.”
Alphabet may not take the fines lying down, Burt pointed out.
“What I think will be most interesting to watch is how Google fights the fine,” he added. “Will it clearly accommodate the regulators, or simply treat CNIL and other similar assessments as impossible to meet? There’s a lot that’s still up in the air — but with CNIL’s fine, the post-2018 GDPR landscape is beginning to take shape.”
Part of that new landscape could eventually involve a GDPR-esque law in the U.S. Although likely to be less punitive than GDPR, U.S. lawmakers are mulling a federal privacy law that would supersede a patchwork of state laws involving data privacy, such as the California Consumer Privacy Act passed in 2018.
The CNIL’s decision “will almost certainly have profound impact on U.S. data privacy legislation and enforcement,” said Dimitri Sirota, CEO of BigID. “This fine shows that GDPR does in fact have teeth, and requires businesses to adhere to its intent of putting the power of user information back in the hands of its rightful owner — the user.”
In December 2018, Google CEO Sundar Pichai fielded questions on Capitol Hill from lawmakers who grilled the executive on the company’s handling of user data. During the hearing, Pichai joined a chorus of other technology executives in expressing support for some form of a national law, as opposed to state laws, telling lawmakers that the industry would be better off “with more of an overarching data protection framework for users.”
Pichai’s responses were seen by many as opaque, but the jury’s still out of whether that will work in Alphabet’s favor in the longer term.
Alphabet is due to report its next quarterly earnings on Feb. 4.