What Google's hefty GDPR fine means for Australian marketers
- 23 January, 2019 14:59
In the wake of Google’s 50 million Euro fine, the Cambridge Analytica data scandal, and an increasingly educated and concerned consumer, experts are stressing Australian businesses and brands, marketers, and adtech businesses can no longer afford to assume having generic consent policies in place for data use are adequate.
France’s data protection authority fined Google 50 million Euros (AUD$79.4 million) for breaches of the General Data Protection Regulation (GDPR), the first fine to be levied since the act came into effect in May 2018.
The National Data Protection Commission (CNIL) charged Google with violating transparency and information rules around user information, as well as a lack of valid consent around ad personalisation. Specifically, the group has said Google’s information to users about how data is being used is neither clear nor comprehensive, while the structure of information does not enable it to comply with GDPR.
This follows the UK Information Commissioner’s Office (ICO) fining Facebook £500,000 for ‘serious breaches of data protection law’ last year, under old legislation.
The fine related to the Cambridge Analytica scandal, when more than 310,000 Australians may have had their data improperly shared with Cambridge Analytica, according to a Facebook update in April. Facebook collected the information of up to 87 million people. This included up to one million UK residents, according to the ICO.
AMSRO president, Craig Young, said the CNIL fine against Google sends a strong message to all companies, both local and global, that if you are using personal information, it needs to be done with consent which is specific and unambiguous, and the explanation of how personal data will be used needs to be comprehensive and transparent.
"The regulators mean business and brands, marketers and ad tech businesses can no longer afford to assume that having some generic policies in place which provide, for instance, ‘general consent’ for data use are adequate. As the recent decision from CNIL has shown, this is not the case," he said.
"Protection of consumer data has always been something of an obsession of legitimate market research organisations, as we know that our industry’s continued existence depends on the goodwill of the pubic whose information we are entrusted with. Other parts of the boarder marketing services industry are now finding that the regulatory environment is finally catching up with advances in technology and the implications, specifically for digital ad personalisation, are profound. The impact is likely to be felt in the hip pocket by brands and agencies who do the wrong thing both in fines from regulators and the inevitable consumer backlash.
"If the marketing services sector expects to continue to use consumer data for personalisation of advertising, there needs to be a general increase in the level of detail provided to consumers about exactly how their data is going to be used."
ShareRoot CEO, Noah Abelson-Gertler, saw tech giants being used as examples for the rest of the world, both now and in the future, and warned local companies to take note that GDPR compliance is vital, and it has teeth.
“Since the GDPR came into play, both consumers and companies been waiting to see which of the tech giants would be made an example of first. It turns out that Google is the first to be hit with a fine, whereas most people were guessing Facebook was going to be the lucky winner due to its headline-grabbing security and data breach issues,” he said.
"For smaller companies, this Google infringement will serve as the first of many benchmarks regarding compliant and non-compliant activities for businesses interacting with EU citizens - which is essentially every business with an online presence. More benchmarks and flags will be established in the near future as the tech giants get hit with more fines, which will in turn, enable the smaller companies to form an idea of the landscape they need to navigate.
"There may have been companies both in Australia and throughout the world who previous to this fine, thought that the GDPR would be a piece of legislation without teeth, but moving forward, starting with this fine and following with many more, the deniers will dwindle in number and hopefully before it's too late, they will face the reality that compliance is the only path forward.
"Smart businesses will realise the GDPR and the resulting need to respect consumer privacy and data will only serve to help their business. Consumers want to be respected by brands and will respond and interact in kind if a company or business establishes an equitable relationship."
In Australia, Young said AMSRO members have pioneered protecting personal information under a legislated, registered industry privacy code for more than 15 years to ensure personal information for market and social research conducted by its member organisations is collected only with (truly informed) consent and under strict codes and practices.
"This latest development in Europe proves that it’s high time other organisations collecting, storing and sharing personal information and data comply with a similarly rigorous regime," he said.
Young added the OAIC is also getting the message out locally, with the Australian Information Commissioner, Angelene Falk, sounding a warning the OAIC ‘can seek civil penalties of up to $2.1 million per privacy breach through the Federal Court’.
GDPR was formally introduced across the European Union in May 2018 and is one of the most significant data privacy reforms to come out in years. The ambition is to give users more rights to protect their personal data, and the regulation covers concepts such as ‘right to be forgotten’, data breach accountability, and data portability.