The French data protection regulator, CNIL, hit Google with a €50m fine this week following a crowdsourced complaint. Perhaps the most interesting aspect of this fine is the public trigger to the investigation and the eagerness of the authority to then run with the complaint.
The Public Trigger
The Google investigation was triggered by submissions from two data privacy NGOs - None of Your Business (NOYB) and La Quadrature du Net (LQDN). The complaints claimed that Google’s data-sharing consent management system was in breach of the GDPR and asked that action be taken. NOYB and LQDN are crowd-funded groups and enjoy wide support, with LQDN’s complaint here backed by 9974 signatures.
CNIL received the complaints in the same week that the GDPR came into force and promptly began the investigation the following week. Although CNIL argued in its decision notice that the NOYB and LQDN complaints were fundamentally immaterial to the investigation (in a procedural sense) as CNIL was competent to examine the issues independently, the essential truth is that this matter was never the regulator’s “baby”.
Move Fast, Investigate Things
What followed was a speedily efficient investigation that largely found merit in the arguments of NOYB and LQDN. Along the way the regulator received numerous submissions from Google that it was being treated unfairly around deadlines, translations, representations and so on and, reading the decision notice, there is the general impression of a regulator in a hurry.
Lessons for Business
What we see here then is an enforcement environment where the regulator was more than happy to take its lead from consumer rights bodies, an approach which is entirely congruent with fundamental elements of the GDPR. This is also in line with the recent ICO criminal prosecution of Cambridge Analytica in the UK for a serious breach concerning a subject access request, which also began with a consumer complaint.
For business, the take-home message is that their customers are becoming ever more aware of their data privacy rights and ever more able to enforce them, in part thanks to sympathetic regulators.
In this environment the lesson must be - don’t give your customers or the wider public any cause for complaint. Make sure that your data privacy compliance is in order and that you are able to respond to any requests promptly. If you fail to do so and manage to frustrate the people you deal with, don’t be surprised if the regulator comes knocking.
Ohalo builds tools to automate data governance. The Data X-Ray scans unstructured and structured datasources for personal data, allowing the user to search across their data estate for individual data elements (in response to a DSAR for instance) and manage their risk in both a high-level and detailed manner. Simply sign up here. Once you have established a baseline of where personal data is distributed across your data estate, you can track where that data is going with the blockchain-based Data Protection Router to assist your general data governance and data privacy compliance.