Julie Myers Wood (jwood@guidepostsolutions.com) is the CEO and Kenneth Citarella (kcitarella@guidepostsolutions.com) is the Chief Privacy Officer for Guidepost Solutions, based in New York City, USA.
In January, French data privacy agency CNIL imposed a $57 million penalty on Google for alleged noncompliance with the General Data Protection Regulation (GDPR), a regulation passed by the EU parliament in 2016. It comes as no surprise that the authorities have decided to make Google an example of what is to come if noncompliance is suspected by European regulators.
According to the GDPR rules that took effect in May 2018, “the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent.” The law also states that “consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language.”
Based on how Google collected and used consumer data to create personalized ads, CNIL imposed a fine on Google, alleging that Google did not provide information to its users in a manner that is transparent, informative, and easily understandable.[1] Because Google’s consent policy was deemed insufficient, CNIL stated that Google did not have the legal basis to use the consumer information it collected. Google’s response maintained that the company did everything in its power to create a GDPR consent process, based on the regulatory guidance provided.
There is no doubt that Google will put up a robust defense in its appeal of the French data privacy agency’s $57 million fine. But the significance of this infraction goes beyond what Google did, or didn’t do, in order to be compliant with French regulations. This can be seen as yet another wake-up call for corporations anywhere in the world that track and use consumer data, from tech giants to online retailers. Given the global patchwork of laws and regulations that govern consumer data privacy, it’s easier said than done.
The complexities of compliance with data privacy policies
Companies face an uphill battle tailoring their data protection policies to meet a web of regulations that are complex, expanding, constantly changing, and vary by country. Failure to tailor these policies to meet all the global regulations that a company is subject to will result in enforcement actions and penalties.
Google’s chief privacy officer recently said that Google and CNIL disagree on the [interpretation of the] law and that Google will demonstrate that their obtaining of consent does reach an appropriate standard under the GDPR.[2] How can companies even begin to implement a compliance program with data privacy policies under this cloud of ambiguity?
Determine jurisdictions and obligations
The starting point is to be compliant with the data protection regulations specific to a company’s home country. For US companies, that means adherence to Federal Trade Commission regulations and compliance with statutes, such as the Gramm-Leach-Bliley Act for banks operating in the US, that apply to their activities. The data protection and privacy laws vary widely around the world. Some provide basic protections; others such as Australia, Ukraine, Turkey, Colombia, South Africa, the Philippines, South Korea, and Japan have an “independent data protection authority accredited at the international conference of data protection and privacy commissioner,” according to CNIL’s data protection world map.
For companies operating in multiple global jurisdictions, there are additional complexities. A US company transferring data from Switzerland or EU-member countries to the US must also comply with the Privacy Shield Framework,[3] a mechanism for companies to comply with the data protection requirements of those jurisdictions. It is sometimes not enough that a company just comply with regulations in its home country. It may also be responsible for adhering to international agreements a country is a party to.
Understand the meaning of consumer data privacy
An added challenge is to understand that consumer privacy is viewed very differently in the US and the EU. In the US, privacy is generally treated as an obligation arising out of a commercial relationship. If a consumer uses a bank, the bank must protect the consumer’s information. In the EU and most of the world, privacy is a right of citizenship, even residency, and is a much more affirmative and comprehensive obligation.
For example, take the issue of consent. Typically in the US (though this is evolving), consumers must opt-out or decline to have their information used in certain ways. In the EU, a person’s information cannot be used unless they agree, or opt in, to the use. Alarmingly, in some countries, statutes described as data privacy regulations are also designed to facilitate the government’s ability to control the location of and have access to the information of its citizens.
Build a data privacy working group
It is critical that a company’s chief legal officer, chief compliance officer, chief privacy officer, and the team responsible for managing consumer data information work closely together. Such coordination and collaboration are vital best practices across all areas of compliance. Achieving this across borders, languages, and cultures raises the complexity level but makes it even more important to stay on top of matters.
It is paramount that such a team has the ability to adapt a company’s compliance program to privacy-related regulatory developments it is subject to. Domestically, that may mean complying with the California Consumer Privacy Act and, internationally, for example, with the new Cyber Security Law in China. The playing field is constantly shifting, and a company’s compliance depends on vigilance and its readiness and ability to adapt its operations to meet the new regulations.
Regulatory complexities
One of the most perplexing issues confronting international entities is the inconsistent provisions of the various national data privacy laws. Take the example of Microsoft. The US government tried to compel this US-based company that stored emails in Ireland to comply with a subpoena to produce them. Microsoft said doing so would violate its privacy obligations under the GDPR. Congress has passed a law that attempts to resolve the issue, but to what extent that will satisfy any foreign government remains to be seen. Although there is no single solution to navigating the global regulatory landscape, companies must be buttoned up on all fronts, domestic and international.
Google will have the opportunity to make its case in France’s Council of State, and the outcome will likely have a major impact on any organization that collects and uses consumer data. Companies should consider this case a warning to reassess their compliance, be proactive in updating their consent policies, and adapt their compliance program to meet the evolving expectations of the regulators. Policies will vary in different countries, and there are considerations that every company collecting consumer data should take immediately. It all begins with ensuring that a company’s chief general counsel, chief compliance officer, and the team responsible for managing consumer data information work closely together.
Takeaways
-
Google’s GDPR fine is a wake-up call for corporations that track and use consumer data.
-
Companies face an uphill battle tailoring their data protection policies to meet evolving regulations.
-
Global companies must adhere to regulations and agreements beyond those in their home country.
-
The chief compliance officer, chief legal officer, chief privacy officer, and the team managing consumer data must work closely together.
-
The decision of Google’s appeal will have an impact on the entire tech sector.