In this edition of Privacy Insider, we feature not one but two stories of Google facing data privacy penalties. The first focuses on a whopping $60 million fine levied by Australian officials; the other is a complaint filed with a French data protection authority that previously issued a $149 million penalty.
Those are certainly some alarming numbers, but Google has the resources to pay up. They also have the resources to dedicate toward compliance, which leads one to ask: If a company like Google can’t stay in compliance with all of its money and tech and smart people, what hope is there for my company?
Rest assured, most regular businesses putting the effort in toward compliance aren’t at risk of facing million-dollar penalties yearly — it’s not impossible, of course, but nothing in life is guaranteed.
Data protection authorities can and do go after small businesses and minor violations. (The smallest GDPR fine on the books was just €28). But enterprises like Google are going to attract more attention for several reasons.
For one, they’re simply larger and have more opportunities to violate regulations. They also provide fundamental services that most individuals and businesses need to consume, like cloud infrastructure, search, and e-commerce. And they’re highly visible, influential organizations. Other businesses look at a $60 million fine against Google and think: We can’t afford that. I’d better get my house in order.
But small- and medium-sized businesses (SMBs) that make the effort to get their house in order and become compliant go a long way to reducing their risk. Data protection authorities aren’t interested in crippling SMBs — they’re interested in protecting consumers. They frequently give opportunities to correct mistakes before issuing a fine.
So, if you’re making a good-faith effort toward compliance, don’t let the headlines keep you up at night (unless you’re Google).
Google hit with $60 million penalty
In what is the third highest penalty for a violation of the Australian Consumer Law (ACL) in history, Google has been ordered to pay $60 million over its data collection practices. Specifically, Google was alleged to have misled some Android device users about how Google was collecting their location data. The tech giant failed to make it clear that it was continuing to collect location data through a user’s Google account even if their “Location History” setting was turned off.
Privacy complaint targets Google over unsolicited ad emails
Max Schrems’ data privacy advocacy group, noyb, has filed a complaint with France's data protection authority against Google for sending unsolicited advertising emails directly to the inbox of Gmail users. This comes on the heels of another $149 million penalty levied by French authorities based on Google failing to make it easy for users to reuse online trackers.
FTC announces proposed rulemaking on privacy and data security
The FTC issued an advance notice of proposed rulemaking, or ANPR, aimed at a wide variety of data privacy issues. In particular, the agency aims to generate a public record about prevalent commercial surveillance practices or lax data security practices that are unfair or deceptive.
Oracle targeted in US privacy class action suit
A recent class action suit alleges that Oracle’s “worldwide surveillance machine” has amassed detailed dossiers on roughly five billion people. Since the US lacks a federal privacy law, the lawsuit is notable in that it references multiple federal, constitutional, tort, and state laws.
Time to switch your standard contractual clauses
If your business handles data transferred out of the EU and into the US, then time is running out to update to the new set of standard contractual clauses (SCCs). Our blog post dives into what prompted the change, the deadline to switch over, what’s different about the new SCCs, and more.
Interested in working at Osano? Check out our Careers page! We might have the perfect opportunity for you.