Google Breaches GDPR (Shock, Horror)

Sometimes it feels like this blog is at risk of turning into a list of evildoings by Big Tech. But it’s hard to avoid mentioning some of the stories as they arise. The biggest risk is that, much like data breaches, we’re becoming dulled to the severity by the frequency of such episodes.

Even so, it’s worth taking a look at the record fine of €50 million levied by the French regulator CNIL on Google yesterday. It’s an important decision because, apart from being the biggest fine under the new GDPR regulations, it also strikes directly at the heart of the business model that Google, Facebook, Amazon and many others rely on for their particular brands of surveillance capitalism.

The decision stated that people were not sufficiently informed about how Google collected data to personalise advertising. In other words, Google had not received valid consent because:

“Users are not able to fully understand the extent of the processing operations carried out by Google.”

I’m also interested to see that the complaint was raised by an individual privacy campaigner and a privacy organisation, invoking Article 15 (requiring companies to respond to individual’s requests for personal data). In essence, they argued that Google were forcing users to agree to new privacy policies.

Unsurprisingly, having the option to personalise adverts pre-ticked when users created an account wasn’t exactly compliant with the spirit of GDPR…

The question is, where do we go from here? Clearly this is a good start. But the fine – huge as it is – is nowhere near the maximum possible under the Regulations of 4% of its annual global turnover (which would equate to somewhere in the region of billions of dollars when it comes to Google).

I suspect we’ll see many more of these sorts of cases start to pile up over the next few years. But I struggle to believe that real, lasting change will come as a result of regulation as a result. The financial moat is still so vast around companies that scaled by being able to monetise this type of user tracking that I think this simply translates into an increased cost for those businesses (lower margins) rather than a seismic shift in business practices.

And I’m not convinced that the answer lies with those who are looking for more decisive action from regulators – along the lines of actively breaking up these companies. Because all that’s likely to do is, as Zuboff points out, leave us with many smaller companies still fuelled by surveillance capitalism.

It’s time for a paradigm shift in modern digital business models. With this scale, incremental change just won’t cut it. But at least this is a start.