GDPR fines ‘likely to end up before Europe’s highest court’
Chief privacy officer says multinational disagrees with French authority after €50m fine
Google’s chief privacy officer Keith Enright addresses the IIEA in Dublin on Thursday. Photograph: Lorcan Mullally/IIEA
Fines levied on multinationals and other organisations under the General Data Protection Regulation (GDPR) are likely to end up before Europe’s highest court as they seek to resolve “ambiguities” in the law, Google’s chief privacy officer has indicated.
Speaking in Dublin on Thursday, Keith Enright noted the €50 million fine levied on the company by the French data protection authority in January. The authority, CNIL, said the standard of consent being obtained by Google from its customers for using its products was “legally deficient”.
GDPR, which became enforceable in May last year, allows data protection authorities to impose fines of up to 4 per cent of a company’s global annual turnover.
“We disagree on the law,” Mr Enright said, in an address to the Institute of International and European Affairs. “We disagree with the opinion the [CNIL] reached, but we recognise that there is ambiguity.”
He said that, as Google had been determining its GDPR-compliance strategy, it had examined the regulation itself as well as regulatory guidance it was receiving from national data protection authorities and from the European Commission.
“We tried to take what we believed was a conservative view, because we wanted to make sure that we were managing risk appropriately.”
There was now an allegation from the French national authority “that we missed the mark”, he said. “We have chosen to appeal that ruling because we believe that the application and interpretation of the law by that [authority] didn’t reach the right outcome.
“We are optimistic that, upon review, we will be able to demonstrate that, in fact, the way we obtain consent in the context of our products and services actually does reach an appropriate standard under the GDPR.
“But all of this is clear evidence that we remain in a position of considerable uncertainty for the foreseeable future,” Mr Enright added.
“We fully expect that there will be ongoing engagement with regulators and, in some instances, there will be issues that are taken to court, probably all the way up to the highest court in Europe to resolve these latent ambiguities within the GDPR as the law evolves.”
Mr Enright said Google remained optimistic that, as the conversation played out, the company would drive “great outcomes” for users in the EU, “by coming up with balanced, pragmatic approaches that protect the fundamental European right to privacy” while allowing European innovators, entrepreneurs, publishers and internet content creators “to continue to reap the benefits of the internet ecosystem”.
He said Google had “thousands” of employees working on GDPR throughout 2017 and 2018 and “hundreds of human years” had been devoted to reviewing its entire product portfolio to try to optimise them in compliance terms.
Mr Enright’s comments came a day after Google admitted its latest “error” in not disclosing to customers that its Nest Secure home security system had a built-in microphone.
Nest, which Google acquired for $3.2 billion (€2.8 billion) in 2014, sells video doorbells, security cameras and thermostats that automatically adjust settings based on user behaviour. Alphabet merged Nest, which had operated as an independent unit, into its Google hardware group last year.
Mr Enright also said the Data Protection Commission (DPC) in Ireland was of “fundamental importance” to Google and to the world, given that so many tech companies had Ireland as their central place of administration.
“My experience with the DPC has been they are a tough regulator, but they are extremely thoughtful, they take the time to understand issues thoroughly. They have always demonstrated a commitment to sitting down with industry, to understanding the positions on the other side and reaching pragmatic solutions that are actually best for users.”
He said Google was looking forward to continuing its work with the DPC on issues around cross-border transfers of personal data.
“Of course, given our scale and given the nature of what we do . . . we will also continue engaging with national authorities, on issues of national interest, so I fully expect that we will continue having productive relationships with the national authorities across Europe.”