Where Tech Giants Are Getting Slapped Over Privacy

(Bloomberg) -- Strict new privacy rules that took effect in the European Union last May give regulators unprecedented powers to protect people from having their data misused by companies doing business there. Everyone from hotels and restaurants to Amazon.com Inc. and Facebook Inc. scrambled for months to comply with the General Data Protection Regulation, which mandates fines of as much as 4 percent of global annual sales for infractions. Alphabet Inc.’s Google got a bitter taste in January of what’s at stake when the French data protection authority fined it a record 50 million euros ($56.8 million) for privacy violations -- the highest such penalty ever in the EU.

1. What did Google do wrong?

The Commission Nationale de l’Informatique et des Libertes, the French regulator known as CNIL, said Google failed to inform users properly about the data it collects on them and how it’s used to personalize advertisements. The probe followed complaints from two digital-rights advocacy groups, None of Your Business (noyb), created by Austrian activist Max Schrems, and La Quadrature du Net of France. The groups acted together on behalf of at least 10,000 people and accused Google of “not having a valid legal basis to process the personal data of the users of its services," according to CNIL. The regulator concluded Google’s deficiencies could result in users revealing "important parts of their private life." Google has appealed the decision.

2. What other penalties might be coming?

On Jan. 18, Noyb filed a new series of privacy complaints across Europe, this time targeting companies including Google’s YouTube, Amazon, and Netflix Inc. Facebook faces multiple probes by the Irish data commissioner under GDPR, including one into a security breach that affected as many as 50 million accounts. The EU’s executive arm said on Jan. 25 that national data protection authorities across the 28-nation bloc “have by now received more than 95,000 complaints from citizens.” GDPR gives equal powers, for the first time, to national watchdogs to fine companies for the most serious violations. On Feb. 7, Germany’s Federal Cartel Office ordered Facebook to overhaul how it tracks users’ internet browsing, citing violations of the GDPR among its reasons.

3. Will the U.S. ever have its own version of GDPR?

In 2018, California approved a privacy law that drew comparisons to GDPR. The regulations, which go into effect in 2020, give consumers the right to know what data has been collected on them, the choice to opt out of the sale of their personal information and the ability to have some data on them deleted. Given the rules there and in Europe, tech firms are seeking a uniform federal law that would overrule state statutes like California’s, but consumer advocates say a U.S. law could weaken strong state protections. A push by industry could help a privacy law through a divided Congress, but political gridlock poses major challenges. In the meantime, some companies like Facebook are preemptively extending certain GDPR-like protections to customers in the U.S.

4. How does GDPR work?

Companies have to post clear notices for users and get their “unambiguous” consent to collect data, instead of burying an O.K. inside fine print and legal jargon. Confusing “terms and conditions” that must be agreed to when signing up for a fitness tracking app or ordering groceries online are no longer tolerated. (Whether you actually read and absorb all the emails and pop-ups asking for consent is up to you.) The new rules also oblige companies to make it easier for people to retrieve their data, to give (or sell) it to another business, and to disallow its use for direct marketing purposes. Collection of data on children under the age of 16 without parental approval is banned. In response to the GDPR, WhatsApp raised the minimum age for its users to 16.

5. Who must follow these rules?

GDPR covers any entity in the EU that is “processing” personal data by collecting it, storing it or disseminating it. This means it’s not just social-networking sites, search engines and big online retailers: The rules also apply to information collected by schools, chat rooms, property management companies and even scout groups. In worst-case scenarios, those in charge can risk prison sentences.

6. What constitutes personal data?

As defined by the EU, any data that’s sensitive in nature and can be linked to a person falls under the umbrella of protection. This includes credit card numbers, travel records, religious affiliations, web search results, biometric data from wearable fitness monitors, and internet (IP) and personal computer addresses. It doesn’t include legal actions or public records, and the media benefit from some exemptions to reconcile privacy with freedom of expression.

7. What is compliance going to cost firms?

A study last year by Ernst & Young found that the world’s 500 largest companies were on track to spend a collective $7.8 billion to comply with GDPR. By the start of 2019, most of the kinks had been worked out and even laggards had brought their sites up to snuff. But costs for many companies have ended up being higher than anticipated: In an Irish report released in November, more than 60 percent of companies said compliance costs had outstripped their expectations.

8. What is required to comply?

Organizations with more than 250 employees need to have a data protection officer, who makes sure the rules are followed through employee training and compliance audits. If a firm is smaller than 250 people but collects large quantities of sensitive data, it also needs a DPO. If there’s a data breach, authorities must be notified within 72 hours and customers informed in a timely manner if the breach poses a risk to them. Situations like Uber Technologies Inc.’s attempts to cover up its 2016 data hack, or the slow release of information on Yahoo’s massive data breach in 2013, are now punishable with huge fines.

9. How does GDPR change life for consumers?

Consumers have been barraged with alerts asking them to review their privacy settings and permit websites to use their data. Users visiting a site for the first time can be blocked from browsing further unless they click a box and consent to having their data collected. EU consumers can request access to the data that’s been collected on them and how it’s being used. Data will be destroyed when it is no longer needed for the original task. And because consumers now "own" their data, they may eventually be able to trade for goodies like gift certificates from Zara in exchange for their shopping history with J. Crew.

10. What data can consumers get removed?

Through the “right to be forgotten” -- a protection created by the EU’s top court in 2014 and enshrined in GDPR -- citizens can force organizations to erase information that was illegally gained or no longer holds true. Data that serves no current purpose or has been used for direct marketing could also be on the chopping block. In some cases, consumers who don’t give permission for websites to use their information may not be allowed to post on social media or consumer review sites.

The Reference Shelf

©2019 Bloomberg L.P.