This fine is just the beginning, The plan is to push a 4 billion fine by next year if the giant does not comply with the regulation. The CNIL (French data regulation organism) is the one behind that strong action.
Some could say this is a battle of David against Goliath but it’s really not. The whole point of the GDPR regulation is to make EU citizens defendable against the GAFA tremendous power on personal data.
The issue is based on article 6, 12 and 13 of the GDPR text. The night when the regulation has been put in force, the 24th of May 2018 at midnight the group “None of your business”, led by the Austrian lawyer Max Schrems filed a complaint at the origin of Google’s fine. They had over 10 000 signatures.
Basically, article 6, 12, and 13 claims that the users must understand very easily what is the consent about their personal data collection and analysis. Moreover, the “contract” which the consent is based on must be short and easy to understand for users and suggest an alternative if the user doesn’t want to agree with the terms. For example, article 146 suggest offering compensation for giving away your data.
GDPR has been in force for a few months now. We are still waiting for the promised results. The only true changes are all these pop-ups appearing to the screen when you enter a new website for the first time. The worst is that many websites are still far from exhibiting their use of data.
Here are few examples of popups that are totally not GDPR compliant.
First, both popups are in English even if accessed from a non-English speaking country. The article 19 is specific about the language used if the user is an EU citizen.
Secondly, the only choice is to either accept or accept and read the conditions. It’s totally absurd and illegal.
Those companies either got scammed by their lawyer giving bad advice or they don’t care about the law and have asked their developers to set up term’s agreement this way. What the regulation suggests is rather to give a simple and clear choice about whether you agree or not to give away your data and what is specific use of your personal data. Let’s be honest about that, companies are not just doing an analysis to better target customers, they make money with it and specifically, the market size of European citizens is around 4 billion $ [reference]. Shouldn’t they share it with the user?
What is even stranger is that most terms are not even in the language spoken by the user (according to the article 23) nor the terms are short and simple to understand (according to the article 6, 12 and 13).
On average, one site out of two is trying to be compliant with the terms by letting a choice between accepting all the terms and refusing some or all the terms.
When looking to the ecosystem of startups helping companies to be GDPR compliant, most of them have a “top-down” approach, hence forcing the user to accept the terms the company wants. That is not what we call consent right? You should not have a gun pointed at your head when you are making decisions. Specifically when it concerns your privacy.
In other words, GDPR compliance is not understood yet and there is still a long way to go before the EU citizen’s data are protected.
the added value of blockchain technology
If we look at the technical details of GDPR and the Blockchain technology, there are so many similarities.
First, GDPR compliance has to be based on a transparent ledger, therefore companies are auditable based on an immutable proof of what happened with the collected data. The only known immutable ledger is the Blockchain.
Secondly, the owner must be sovereign over her or his data. The blockchain is the only technology allowing such power for everyone with just the use of a private key.
Therefore, Google should build a GDPR/Blockchain technology making the ownership of data decentralized, transparent and would give the possibility to European citizens to be compensated when giving away their data.
Google is in that position mostly because of the size of the agreement contract. Many websites are doing the same mistake. See the following example :