Google's $2.73 Billion Fine Demonstrates Importance of GDPR Compliance
27.6.2017 securityweek Privacy
The European Commission (EC) has levied a €2.42 billion ($2.73 billion) fine against Google because it "has abused its market dominance as a search engine by giving an illegal advantage to another Google product, its comparison shopping service."
While this is an antitrust action, it raises the possibility of similarly large fines under the General Data Protection Regulation coming into force in less than a year's time. That new regulation can set sanctions at up to 4% of a firm's annual global turnover. While this would rarely reach the level of today's fine against Google in absolute terms, it provides the potential for proportionately similar fines against a far larger number of companies than those that might be caught by antitrust regulations.
Today's fine was levied because the EC concluded that firstly, "Google is dominant in general internet search markets throughout the European Economic Area;" and that secondly, "Google has abused this market dominance by giving its own comparison shopping service an illegal advantage."
Google can, and almost certainly will, appeal the decision. In a statement emailed to SecurityWeek, Kent Walker, SVP and General Counsel, commented, "When you shop online, you want to find the products you're looking for quickly and easily. And advertisers want to promote those same products. That's why Google shows shopping ads, connecting our users with thousands of advertisers, large and small, in ways that are useful for both. We respectfully disagree with the conclusions announced today. We will review the Commission's decision in detail as we consider an appeal, and we look forward to continuing to make our case."
The level of the fine was calculated on the basis of a specified formula. "The Commission's fine of €2,424,495,000," explains the EC announcement, "takes account of the duration and gravity of the infringement. In accordance with the Commission's 2006 Guidelines on fines... the fine has been calculated on the basis of the value of Google's revenue from its comparison shopping service in the 13 EEA countries concerned."
It is this use of a known formula that allows us to speculate on any future GDPR fines (for any infringer and not just Google). "Does this case give us any entree as to how the Commission might behave in setting fines when GDPR is in force?" asks Brian Bandey, a Doctor of Law specializing in International IP and cyber issues. "Well we can say that the Commission followed its 2006 'Guidelines on the method of setting fines' with respect to Google."
When they came into force, competition commissioner Neelie Kroes said about them: "These revised Guidelines will better reflect the overall economic significance of the infringement... the link between the fine and the duration of the infringement, and the increase for repeat offenders -- send three clear signals to companies. Don't break the anti-trust rules; if you do, stop it as quickly as possible, and once you've stopped, don't do it again."
Bandey continues, "My personal expectation is that the same approach will be taken with respect to GDPR fines. The EU States hold the concept of individual personalty and their consequent rights very highly. In a sense, that is the moving force behind the GDPR. In the European Commission Fact Sheet on this subject (24th May 2017): 'The reform provides tools for gaining control of one's personal data, the protection of which is a fundamental right in the European Union.'
"In that sense," he adds, "I expect that they will link penalties for breaching these 'fundamental rights' to duration, effects on involved persons, and repeat offending." And as Kroes said, it would be best for companies who breach GDPR to stop as quickly as possible, and not breach it again.
Not everyone thinks that this anti-trust fine will provide a benchmark for future GDPR fines. Dr Monica Horten, a visiting fellow at the London School of Economics, stresses the fundamental difference between the laws. "With this Google fine," she said, "this is a corporation abusing its dominant market position. The underlying motivation is about deliberately seeking to gain market advantage, and simultaneously disadvantaging its competitors. It was a deliberate, proactive move to cut out competition.
"GDPR fines," she continued, "will be imposed by national regulators responsible for data protection in Member States. The GDPR gives national regulators a range of measures they can take before they resort to a fine. With GDPR, the root is more likely to lie in some form of corporate management failure, either through neglect or making false economies and cost-cutting." The implication is that the regulators will be slow to deliver the full force of the regulation.
But that doesn't mean that companies can afford to relax concern about GDPR. With this fine, explains David Flint, senior partner at law firm MacRoberts LLP, "the Commission has sent out a clear signal that it is not afraid to take on the largest entities who it perceives to be breaching EU law. With the introduction of the GDPR next year and its potential for penalties of up to 4% of worldwide turnover, there can be little doubt that US businesses need to take compliance with EU law, be it Data Protection or Antitrust, very seriously.
"Both the GDPR and the Antitrust rules envisage follow-on private actions for damages, so the potential risk, legal, financial and reputational may be significantly higher."
"But let me be absolutely clear," adds Bandey; "nobody really know. But we will do in the not-so-distant future."