Europe's new privacy law tests muscle on Google
Illustration: Lazaro Gamio/Axios
The roughly $57 million fine French regulators leveled on Google Monday is the first real test of how aggressively Europe's sweeping privacy rules will force change at U.S.-based tech giants.
Why it matters: The European General Data Protection Regulation (GDPR) has sparked an urgent effort to pass a national online privacy law in Washington. And state lawmakers are attempting to create their own regulations, too.
Details: The French data regulator CNIL accused Google of two violations, stemming from an investigation of aspects of its Android mobile operating system:
- Not being transparent with users about how their data is being used;
- Not getting adequate consent from users to monetize their data.
What they're saying: A Google spokesperson said in a statement that the firm is "deeply committed" to "the consent requirements of the GDPR" and is figuring out what steps to take next.
- Joseph Jerome of the Center for Democracy and Technology said in an email that while there were "coherent arguments" that Google didn't meet GDPR's standard, he was "not sure exactly how the CNIL wants Google to remediate its issues, aside from providing even clearer, more centralized notice and creating granular consent options."
Reality check: $57 million isn't more than Google's lunch money.
- Its parent company Alphabet brought in more than $33 billion in revenue in its last reported quarter alone.
- Yes, but: The fine is big enough to act as a warning to Google that it needs to change its ways, particularly if other EU authorities take it as a roadmap for penalizing Google (and others) in similar complaints.
The other side: Tech allies were quick to argue that France's fine was the product of bad enforcement and unclear rules.
- Former Facebook chief security officer Alex Stamos tweeted that if "CNIL doesn't fine any EU-based ad networks in the coming months we know GDPR is about competition policy, not privacy."
Daniel Castro, who leads the Center for Data Innovation, said in a statement that the GDPR "requires companies to follow a complex and ambiguous set of rules" and is "fundamentally not a viable model for regulating the digital economy."
The bigger picture: This moment is a test for Google, but also for the ability of Europe's new rules to rein in American tech giants.
- Up until Monday, European regulators had only enforced GDPR against smaller, lower-profile players like an analytics firm associated with Cambridge Analytica and a German social media firm.
- Per Axios' Sara Fischer: The debate in Europe now moves from setting what the rules' requirements ought to be to figuring out what an ad giant like Google must do to meet those requirements.
The Google fine could cause headaches for Facebook and other social platforms operating in the EU.
- Facebook chief operating officer Sheryl Sandberg told attendees at a conference in Germany on Sunday that the company needs "to stop abuse more quickly and we need to do better to protect people's data." (Not everyone there bought it.)
What we're watching: How Google's EU fine influences the Capitol Hill debate over privacy, as lawmakers try to write rules before a new privacy law goes into effect in California next year.
- The Federal Trade Commission is also weighing the possibility of leveling a major fine on Facebook for violating user privacy, according to multiple reports.
Our thought bubble: No matter how much tech gripes about GDPR, Monday's fine makes it clearer than ever that Europe, not Washington, is setting the pace when it comes to building guardrails for Silicon Valley firms.