Earlier this week, France’s data protection agency, known as CNIL, fined Alphabet’s Google 50 million euros ($57 million) for breaching the European Union’s new online data privacy rules – the biggest such penalty levied against a U.S. tech company so far.
Enforcement of New EU Data Privacy Rules
The penalty against Google was issued for alleged violations of the EU’s General Data Protection Regulation (GDPR), which went into force in May 2018. It allows users to better control their personal data and gives regulators the power to impose fines of up to 4 percent of global revenue for violations.
“GDPR represents a seismic shift in data privacy rules, requiring tech companies to be more transparent about data use, and giving individuals much more power over the collection and use of their data,” says Jim Chester, a global business and technology attorney and partner in Dallas-based technology boutique Klemchuk LLP.
“Although the industry has been aware of GDPR, it is such a fundamental and comprehensive change in how companies need to think about data privacy that many companies have struggled to adapt their policies – there is no clear ‘best practices’ blueprint for compliance,” Chester adds.
EU Data Privacy Rules Extend to US Companies
U.S. companies have also been uncertain regarding the extent to which they’d be subject to the EU data privacy rules. According to Chester, as penalties and enforcement actions start to happen, a clearer picture of what’s expected will begin to develop.
In this case, the French regulator claimed Google lacked transparency and clarity in the way it informs users about its handling of personal data and failed to properly obtain their consent for personalized ads. In a statement, CNIL said “The amount decided, and the publicity of the fine, are justified by the severity of the infringements observed regarding the essential principles of the GDPR: transparency, information and consent.”
The penalty will likely be the first of many enforcement actions under the new EU data privacy rules, and U.S. Internet companies are scrambling to comply.
The GDPR is not limited to tech titans like Google. To avoid penalties all companies operating online need to be aware of the GDPR’s requirements and must ensure they don’t run afoul of the EU data privacy rules.
For more details, see this article from Reuters (a source of much of this article’s content).
To view information on Jim Chester and the Klemchuk LLP international business and trade practice, please click here.
About the firm:
Klemchuk LLP is a litigation, intellectual property (IP), and business law firm, located in Dallas, TX. The firm offers comprehensive legal services including litigation and enforcement of all forms of IP. Additionally, we provide registration and licensing of patents, trademarks, trade dress, and copyrights. The firm also provides a wide range of technology, Internet, e-commerce, and business services including business planning, formation, and financing, mergers and acquisitions, business litigation, international business, import/export, data privacy, and domain name dispute resolution. Additional information about the Internet & eCommerce law firm and its Internet & eCommerce attorneys may be found at www.klemchuk.com.
Klemchuk LLP hosts Culture Counts, a blog devoted to the discussion of law firm culture and corporate core values with frequent topics about positive work environment, conscious capitalism, entrepreneurial management, positive workplace culture, workplace productivity, and corporate core values.