On January 21, 2019, the French National Data Protection Commission (CNIL) fined Google Euros 50 million for not complying with the General Data Protection Regulation (GDPR). There will be a legal challenge, but this blog focuses on the policy considerations surrounding the decision. There are at least three initial takeaways from the CNIL decision. First, this enforcement action demonstrates that the GDPR should not be replicated word for word in a possible U.S. federal privacy law. Some notion of consumer harm should enter the calculation when a fine is considered. Second, DPAs should be more forthcoming with guidance on how to comply with the GDPR, especially when companies are making a good faith effort to comply with the law. Third, there is a risk that the one-stop-shop is going to become effectively meaningless. As U.S. policymakers consider a federal privacy law, this should be a key consideration. Differing state federal privacy enforcement policies would diminish the innovation promoting aspect of a federal privacy law.
The GDPR Should not be Replicated Entirely in the United States
While there are a number of elements, especially with respect to consumer rights (although not the right to be forgotten), in the GDPR that SIIA endorses, enforcement powers need to be carefully calibrated. It is not an accident that the United States is a leader with respect to the digital innovation economy. Part of the reason why is because U.S. regulation tends to focus on protecting consumers from demonstrable harms. It is worthwhile recalling in this context that Google actually invested considerable resources to comply with the GDPR. According to CNIL it just did not do so in a good enough way, although CNIL did not explain what would meet its expectations. For example, what does CNIL mean when it says “essential information” is “excessively documented across several documents?” But CNIL also says that the information Google provided to consumers is not clear and is vague. So which is it? Too much information? Or a too short summary? This is admittedly a tough challenge.
The EU regulators understandably want to avoid lengthy consumer-facing documents from companies written in “legalese.” But if the regulators consider the information provided to consumers insufficient, wouldn’t it make sense to first to engage with the company to see if changes could be made before issuing a fine? Such engagement seems particularly appropriate in this case given that no harm was demonstrated and consent was, in fact, obtained from consumers (albeit not in the way CNIL would have preferred). This seems to be even more reasonable when, again as in this case, the company in question can, in fact, demonstrate substantial compliance investments and changed practices.
The DPAs Should Work More Cooperatively with Industry
On the eve of the entry-into-force of the GDPR on May 24, 2018, SIIA released a piece entitled: “General Data Protection Regulation (GDPR) Entry-Into-Force: Ten Suggestions from SIIA.” SIIA argued that DPAs should work with industry to ensure that the ICANN WHOIS system can continue to be used. In fact, this remains an urgent SIIA priority. There is an ICANN expedited policy development process (EPDP) working on this issue, and we hope that the report it is expected to release in March 2019 will provide consensus-based, durable, and effective solutions. However, as we wrote in our May 24, 2018 article: “But practical ideas that can work in real-time are needed from EU authorities as well.” What this illustrates in the context of the CNIL case is that there an urgent need for the regulators in the EU to intensify their work with industry and other stakeholders to be more forthcoming with respect to developing solutions that work for everybody with respect to GDPR implementation. True, Europe can point to numerous guidance documents. And many companies can document compliance regimes and changes since the GDPR’s entry-into-force. But what is needed is a better sense from regulators as to what passes for a good faith effort to comply even if a given compliance regime may have room for improvement from a regulatory standpoint.
This is an admittedly challenging task. Industry is not looking for overly prescriptive guidance. And regulators presumably don’t want to be perceived as blessing compliance systems prematurely. But there has to be some middle ground that would work for both industry and DPAs. The United States’s NIST Privacy Frameworkexercise could be helpful in this regard. The FTC’s online advertising guidelines are another example of regulatory advice that can help companies navigate complex law and regulation.
Whither the One-Stop-Shop?
When the GDPR was proposed in 2013, the one-stop-shop was the key business-friendly element highlighted by the European Commission. As things turned out, however, there is much less than meets the eye to the GDPR’s one-stop-shop. The CNIL ruling is not clear in this regard. Google’s EU headquarters are, in fact, in Ireland, although we do not know why the Irish DPA did not consider the case. The CNIL says that because Google’s Ireland HQ did not have relevant “decision-making power,” the one-stop-shop mechanism was not applicable.
What is the implication of this legally? Our sense is that the one-stop-shop is effectively losing salience. That might be an outcome European regulators prefer. But European economic policymakers should be aware that it will not promote the digital innovation they say they wish to promote. As we note in our May 24, 2018 piece, this is even more potentially problematic for SMEs: “With respect to the Lead Supervisory Authority, the guidance says that for companies without an establishment in the EU, they are obliged to deal with the regulator in every country they are active in. This is potentially problematic for the thousands of SMEs throughout the world (not just the United States) that do routine business with the EU. Companies that solicit advice from a DPA should be able to rely on that advice throughout the Union. Without this ability, the very notion of a single digital market is compromised.”
Some might argue that a €50 million fine is a drop in the bucket for a company like Google, really akin to a minor “cost of doing business.” But this is not the point. There is a societally crucial role for regulators in cracking down on bad actors. But the regulator-industry relationship, while it should never result in “capture,” need not, and should not, always be adversarial in nature. The issues are too important and too complex. There needs to be a greater effort on the part of regulators when dealing with companies that have invested in compliance regimes to provide a better sense for what is acceptable and what needs to be improved without resorting to fines (however small in comparison with a company’s revenues) in the first instance.