On 21 January 2019, the French data protection authority, CNIL, imposed a fine on Google of €50 million for various breaches of the GDPR, and the first fine imposed by CNIL.This was to biggest fine to-date by far imposed by any DPA pursuant to the GDPR.

The CNIL found that Google had committed several GDPR infringements. Among other things:

  • Google did not provide sufficient accessibility to its search engine users of certain vital information, including the legal basis for the processing of their personal data and how long it was being stored;
  • Google did not make it sufficiently clear to users that their consent was the purported legal basis for processing their personal data for targeted advertising purposes;
  • This consent (even if it constituted a valid legal basis for processing) was not validly obtained because users were not clearly informed of what they were consenting to.

The principal takeaway from the Google decision concerns fines under the GDPR. The Google fine was imposed some 8 months after the GDPR went into force. The levelof fines going into 2020 are likely to be much higher. Chinese firm sat risk really shouldn't wait much longer to become compliant, not when complex compliance projects may last up to a year even longer.

A second takeaway from the Google case is that the use of high-powered lawyers and IT people to confuse and mislead data subjects in order to limit their client's responsibilities under GDPR is not a clever strategy and will not betolerated. When external lawyers are engaged in GDPR compliance activities, they must take into account the interests of the datasubjects, as they are the class of people protected by the GDPR, not the companies collecting the personal data.

There are several other developments worth reporting.

The Austrian entrepreneur

In October 2018, the Austrian DPA imposed a fine of €4,800 on a retailer for excessive surveillance of his establishment—his security camera apparently captured the images of people on his sidewalk which were unnecessary for security purposes. While this decision may appear small-minded,one must consider that the GDPR addresses the monitoring ofindividuals' behavior, whether it is in form of surveillance cameras, Internet browsing habits, cell phone usage etc.

Many Chinese companies have been hesitant to implement the GDPR because they think that GDPR only applies to Internet companies. The Austrian case pretty much destroys that line of thinking. Imagine a major Chinese manufacturer, bank or insurer with a large presence in Europe which routinely monitors their facilities and offices, both inside and out, not only for security reasons, but also to check on what their employees are doing(e.g. to maximize productivity or to ensure that they are not breaking the law). They have surveillance cameras on the grounds, in the parking lots, in the hallways etc.

The Austrian decision makes clear that all such monitoring and surveillance must meet the standards of the GDPR. And, in the case of a much broader surveillance activity that involves hundreds if not thousands of employees, clients and other individuals, it is clear that thepotential fine would be much larger than €4,800.

German social media app

Another development is theNovember 2018 decision by the DPA for the German State of Baden-Wurttemberg (LfDI) in the case of Knuddels.de. In this case, Knuddels.de, a small German chat app, was hacked, resulting in the theft of almost 2 million user names and passwords and more than 800,000 email addresses. The LfDI concluded that Knuddels.de had breached Article 32 of the GDPR (security of processing) principally by storing passwords in plain text (i.e. they were not encrypted). Because  concluded that Knuddels.de had breached Article 32 of the GDPR (security of processing) principally by storing passwords in plain text (i.e. they were not encrypted). Because Knuddels.de quickly reported the hack to its home DPA, it was spared a much higher fine for having failed to report the data breach within 72 hours of its discovery.

Knuddels.de was only fined €20,000 because it is a small app with limited sales income. If the company investigated were, for example, a large Chinese app, bank orInternet platform, the fine may well have been in the millions of Euros.

Warning signs

All three of the above cases demonstrate how pervasively GDPR can apply to a typical Chinese company that has activities in the EU, as well as the extent to which national DPAs will go to address infringements. If they are will to investigate small businesses, then they will not hesitate to go after large Chinese companies, even if they are under the radar in Europe.And it should be kept in mind that there is no requirement under the GDPR that the Chinese company have an EU presence. After all, they are able to collect the data of EU residents from anywhere.....

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.