When Google was fined 10 million euros (then-U.S. $10.6 million) by Spain’s data protection authority (DPA) last month, it reignited interest about why the company behind the world’s most popular internet search engine—and other Big Tech firms, generally—have not been more frequently penalized under the General Data Protection Regulation (GDPR).
The fine is the fourth for Google under the European Union’s stringent privacy law and second highest in value following the €50 million penalty (then-U.S. $57 million) the company was hit with in France in 2019. Other countries to sanction the tech giant include Sweden and Belgium.
There has been consternation about the slow speed of the Irish Data Protection Commission (DPC), Google’s lead supervisory authority, to close two ongoing cross-border complaints against the company regarding real-time bidding and the way it uses personal data to drive advertising, as well as its use of location data.
Experts provide differing views as to why Google and other tech firms have got off relatively lightly.
“Perhaps an easy answer would be they haven’t been found to have broken the law,” said Nigel Jones, co-founder at Privacy Compliance Hub.
The true answer may be “more nuanced,” Jones added. European data regulators have tended to educate rather than penalize because “they need to make sure they are on a firm legal footing if they are going to issue fines. This requires resources, and the fact is the resources of Google far outweigh the resources of any regulator,” he said.
“Being realistic, for a company the size of Google, fines are not necessarily going to be the best way to secure positive improvements.”
Will Richmond-Coggan, Director, Freeths
According to Jones, another reason may be Google—unlike some tech firms—has tended to take a conciliatory approach with the Irish regulator and other DPAs about what practices might violate the GDPR, which means “there will have been a dialogue going backwards and forwards between the company and the regulator for all this time.”
The move has already paid off: Google amicably resolved a cross-border complaint with the Irish DPC regarding YouTube content involving a child, for example.
Ryan Gracey, head of technology and partner at law firm Gordons, said the reason Big Tech firms have received relatively few fines to date is due to the nature of the potential GDPR breaches.
“Big Tech investigations have tended to cover their own misuse of personal data to gain financial and competitive advantages, like Google’s lack of transparency to individuals on how their personal data is used, while other industries where we have seen a higher frequency of fines, like telecoms, involve data breaches related to the mass disclosure of personal information,” said Gracey.
The former, said Gracey, “are difficult, complex, and time-consuming for regulators to investigate, understand, and take action on,” while the latter “are much more straightforward” because the regulator can readily identify the breach, consider any aggravating and mitigating factors, and then issue a proportionate fine.
Experts added part of the challenge in regulating Big Tech is a lack of transparency about firms’ activities, which makes it more challenging to know what is being done. Another problem is these companies’ efforts to scale up their legal teams.
Flavia Kenyon, barrister at law firm The 36 Group, cited failure of the GDPR’s enforcement powers and the timidity of regulators as further issues.
She believes the GDPR’s one-stop shop mechanism is “not fit for purpose” and “failing to deal with data protection issues concerning millions of web users across Europe.”
The Irish DPC’s inaction has played part in leading the European Commission to draft antitrust legislation against Big Tech as a way of addressing misuse of personal data, privacy, and data monopolies, as well as to “re-assert the Commission’s digital sovereignty via another legislative route,” she said. The planned Digital Markets Act would give national regulators the ability to hand out fines up to 10 percent of global turnover for infringements.
Will Richmond-Coggan, a director and specialist in data protection disputes at law firm Freeths, noted fines are only one tool available to supervisory authorities under the GDPR. “Being realistic, for a company the size of Google, fines are not necessarily going to be the best way to secure positive improvements,” he said.
The U.K.’s Information Commissioner’s Office, for example, did not impose a fine on Google’s DeepMind project in relation to its unauthorized use of medical personal data for a diagnostic research initiative but took the opportunity to set out guidance for how such projects should be set up and operated in the future to secure compliance.
Richmond-Coggan questioned the idea Big Tech firms have “got off light” in the European Union. They have been on the receiving end of a substantial amount of regulatory activity and received some of the largest penalties under the GDPR, he remarked.
Further, the international data transfer landscape has been completely reshaped by a series of legal challenges against Meta/Facebook by privacy campaigner Max Schrems, which has put data protection and compliance at the forefront of tech firms’ activities, Richmond-Coggan said.