On 21 January, France fined Google almost $57 million for a violation of the GDPR. The French data privacy regulator CNIL said that Google failed to fully disclose to users how their personal information was being collected and what happens to it. CNIL also said that Google did not properly obtain users’ consent for the purpose of showing them personalised ads. Google’s parent company Alphabet racked up $138.6 billion in revenue last year. I’ve calculated the penalty as 0.04%.
In July 2018, Facebook was fined £500,000 by the ICO for the “very serious contravention” by the social media giant for allowing the misuse of personal data in political advertising by Cambridge Analytica. The Information Commissioner Elizabeth Denham said that if the breach had happened after May 25 of 2018 when GDPR was in full effect, the fine would have be considerably greater. In the last three months of 2018 alone, Facebook clocked up £12.8 billion in revenue. In relative terms, the monetary punishment is 0.004%.
These fines are minute in comparison with the amount of money flowing through these companies. GDPR has upped the ante with fines for data breaches of up to 4% of global turnover or €20 million, whichever is greater. However, I think we are barking up the wrong tree if we are only looking at pecuniary sanctions as deterrents for bad practice.
The GDPR also introduced a duty for companies to appoint a data protection officer. My fear is people in this position could just be made a scapegoat and fired any time there is a data incident, to make it look like there are real repercussions.
Instead, we should make them shut up shop. If companies suffer a breach of data, they should have to cease operations. And length of the shutdown should depend on the severity of the breach. This will not only affect their bottom line but it will damage their reputation and good will amongst customers and users. The intangible damage is much harder to repair and cannot be fixed by throwing money at the problem. Companies would have to take extreme preventive measures to avoid this happening and so this is a far better deterrent than a piddly fine, which often are so miniscule in the grand scheme of things that they can be written off as a cost of doing business.
My idea is not perfect. What about organisations that are not engaged in commercial activities like charities or local councils? I don’t know, as my suggestion applies to for-profit organisations. Deterrents and sanctions in the public sector would have to be handled in a different way. Ceasing operation is only going to hurt the wider public in the long run. Monetary fines would just lead to higher council tax bills for local residents or cuts in services, neither or which are desirable outcomes (or deterrents).
If anyone has some ideas for discouraging data malpractice in the public and third sectors, please share them.
It’s been estimated that one billion people around the world had their data breached last year. Data regulators will have to get more creative with the penalties and deterrents so that data handlers take this problem more seriously, and ultimately bring that number down.