By Patrick Connelly, originally published in Buffalo Law Journal, Buffalo Business First on Feb 4, 2019, 5:11am EST.
Massive Google Fine was Splash GDPR Needed
If you kept an eye on your personal email the last few weeks, you likely noticed brands reaching out to inform you that once again they updated the terms and conditions of their privacy polices.
These alerts provided formal notice that the companies solidified their policies in the aftermath of the $57 million fine Google received for violating General Data Protection Regulation protocol.
Technology attorneys said it was hardly surprising that Google was the first big tech company to be cited. Rather, they said it was the splash the European Union’s GDPR needed since it came into effect last May.
“I expected when they enacted GDPR they would go after some major players, and Google is probably the biggest company with the sketchiest track record,” said Shawn Roche, an associate at Colligan Law.
“People have to understand that they’re going to be subject to this,” said Michael Storck, a partner at Lippes Mathias Wexler Friedman LLP. “Google is so large you would have thought they would have had all their ducks in a row on that.”
Anna Mercado Clark, partner at Phillips Lytle LLP, agreed.
“What better way to make a statement than to focus on these headline-grabbing players?” she said.
The GDPR ushered in a change that makes the data storing of personal information more transparent while further protecting the digital rights of individuals who reside in those countries.
Businesses outside of the EU are expected to be compliant when they contact and conduct business with individuals in those countries, as well as in how they internally process and store data.
The French GDPR policing agency Commission nationale de l’informatique et des libertés (National Commission for Informatics and Liberties) said the amount of the fine was “justified by the severity of the infringements observed regarding the essential principles of the GDPR: transparency, information and consent.”
The agency said Google did not clearly present to individuals information on how and why their data was collected and stored, nor did Google make it easily accessible.
“That enforcement action was really geared toward the way Google obtained consent,” said Myriah Jaworski, an attorney at Beckage PLLC.
She said Google made consumers take too many steps, which led to the GDPR citation.
“We’re going to see regulators flexing their muscles and this certainly is an example of that,” Jaworski said.
The big change facing North American companies in navigating the GDPR is in how they collect consent. Rather than just a quick-and-dirty fillable online form, companies need to have outlined how they’ll use, store and eventually delete the consumer’s information if the person opts out from ongoing email correspondence or a site’s membership.
This information also must be easily accessible.
The GDPR’s many regulations put businesses in a spot where they need to have a constant eye to stay compliant, Clark said.
“There are a lot of nuances that are not immediately visible,” she added.
Storck said he advises companies to take a top-to-bottom approach to address how and what their business needs to explicitly and thoroughly have written out.
“If you don’t properly document all of the given aspects of what you’re going to do with the information, you’re going to trip up,” he said.
More sensitive records should he kept under watchful eye, Roche said.
“If you are knowingly doing business with a number of European Union citizens or collecting data in one of those highly sensitive areas (such as the medical industry), you should make a much more concerted effort to make sure you’re compliant with GDPR,” Roche said.
Google appealed the fine and Roche said that should provide the rest of the world “clarity on some things that are not so clear under the (GDPR regulations).”
Data management perspective
“People (had) been waiting for something to happen,” technologist Chris Jordan said of the fine levied on Google.
Jordan has worked in data privacy for decades and now runs the Maryland-based Fluency Security, a provider of security automation and solutions to businesses around the country, including New York.
In the rush to become compliant with the GDPR, many businesses overlooked log management, which he describes as documenting any and all items that a business tracks.
“If you don’t store logs, you put your company at risk,” he said.
Logs should be sufficient enough to address laws and regulations and tailored to a business, Jordan said. How long they should be stored varies by industry.
Jordan said many businesses aren’t deleting all the data they should when a customer opts out. Instead, fragments of an individual’s experience with the company remain in encrypted data and metadata that may leave the business subject to GDPR violations.
Software is available to assist businesses with log management and deletion, Jordan said.
California enacted a Consumer Privacy Act that takes effect in 2020 that attorneys said will lead more states to take heed and perhaps even the federal government.
Under the California law, companies are required to make sure consumers are aware of the following:
What personal information is being collected about them
Whether their personal information is sold or disclosed and to whom
They can access the personal information the company has on file and can say no to it being sold
They have the ability to request all personal data be erased.
Consumers must be provided equal service and price by companies even if they exercise privacy rights.
“I think in the future you’re going to see more of this. I think that is undoubted,” said Storck.
“We’ve been saying for a long time that this is the beginning and this isn’t going away,” said Jennifer Beckage, managing partner of Beckage PLLC.
Clark called the California law a moving target for businesses to consider as some of its facets may be altered.
“There is still a lot of movement in California to amend the law,” she said.
She and Storck said it’s probable that the federal government will push for legislation that harmonizes or standardizes regulations on data privacy for all states.
“I would expect that to be the case,” Clark said, adding that tech companies have voiced their support for federal, uniform rules.
A push for more consistency is bound to happen, Jaworski said.
And it only gets easier from here now that companies are more familiar with the future of privacy regulation, Roche said.
“We’re going to reach a point probably where most large U.S. businesses are going to be compliant with GDPR,” he said.
Once companies are up to speed on the California law, they should be set up well to adapt to what may come down the pike from other states or federally, he said.