EU Data Privacy Rules: Google Fined Millions as First Major GDPR Casualty

Earlier this week, France’s data protection agency, known as CNIL, fined Alphabet’s Google 50 million euros ($57 million) for breaching the European Union’s new online data privacy rules – the biggest such penalty levied against a U.S. tech company so far.

Enforcement of New EU Data Privacy Rules

The penalty against Google was issued for alleged violations of the EU’s General Data Protection Regulation (GDPR), which went into force in May 2018.  It allows users to better control their personal data and gives regulators the power to impose fines of up to 4 percent of global revenue for violations.

“GDPR represents a seismic shift in data privacy rules, requiring tech companies to be more transparent about data use, and giving individuals much more power over the collection and use of their data,” says Jim Chester, a global business and technology attorney and partner in Dallas-based technology boutique Klemchuk LLP.

“Although the industry has been aware of GDPR, it is such a fundamental and comprehensive change in how companies need to think about data privacy that many companies have struggled to adapt their policies – there is no clear ‘best practices’ blueprint for compliance,” Chester adds.

EU Data Privacy Rules Extend to US Companies

U.S. companies have also been uncertain regarding the extent to which they’d be subject to the EU data privacy rules.  According to Chester, as penalties and enforcement actions start to happen, a clearer picture of what’s expected will begin to develop.

In this case, the French regulator claimed Google lacked transparency and clarity in the way it informs users about its handling of personal data and failed to properly obtain their consent for personalized ads.  In a statement, CNIL said “The amount decided, and the publicity of the fine, are justified by the severity of the infringements observed regarding the essential principles of the GDPR: transparency, information and consent.”

The penalty will likely be the first of many enforcement actions under the new EU data privacy rules, and U.S. Internet companies are scrambling to comply.

The GDPR is not limited to tech titans like Google.  To avoid penalties all companies operating online need to be aware of the GDPR’s requirements and must ensure they don’t run afoul of the EU data privacy rules.

For more details, see this article from Reuters (a source of much of this article’s content).

You may also be interested in:

Sign up for and explore our content and thought leadership here.

About the Firm:

Klemchuk LLP is a litigation, intellectual property, transactional, and international business law firm dedicated to protecting innovation. The firm provides tailored legal solutions to industries including software, technology, retail, real estate, consumer goods, ecommerce, telecommunications, restaurant, energy, media, and professional services. The firm focuses on serving mid-market companies seeking long-term, value-added relationships with a law firm. Learn more about experiencing law practiced differently and our local counsel practice.

The firm publishes Intellectual Property Trends (latest developments in IP law), Conversations with Innovators (interviews with thought leaders), Leaders in Law (insights from law leaders), Culture Counts (thoughts on law firm culture and business), and Legal Insights (in-depth analysis of IP, litigation, and transactional law).