With GDPR landing in May last year it was always going to take a few months for complaints to be processed and judged on. And my, how France has risen to the challenge to be first out of the proverbial traps.
The country's data watchdog had fined Google a couple of times in the past for lapses on privacy policies and not implementing the right to be forgotten, but pre GDPR, these were for 150,000 Euros in 2014 and 100,000 Euros in 2016. As Dorothy remarked to her dog Toto in "The Wizard of Oz," we are no longer in Kansas.
GDPR was always going to have a poster child for the first big fine against a tech giant -- and given the history, it was not too surprising to find France's CNIL data watchdog is the first to step up to the plate.
The fine of 50 million Euros is hard to pin down to a specific failing, but rather what the watchdog see as an effort to try to get away with GDPR compliance without fully adhering to both the letter and the spirit of the law.
This column predicted back in May, the moment GDPR became law, that there would be trouble around Google's so-called "forced consent" options. You know the sort of thing, say yes to this or the world caves in. Or for us to keep bringing you this, that and the other, you really need to say yes to this. Exactly what "this" is few people could be bothered to find out. Rather like a cookie declaration, most people just said "ok, got it" and moved on.
Not privacy campaigner Max Schrems and his "None Of Your Business" who were one of the two groups who brought the case against Google. Their ploughing through the consent pages led them to believe Google wasn't being clear on how user data would be used, how long it would be stored and for what purposes. They claimed that getting to the bottom of what consent was being given could be spread across different pages on sites and sometimes consent boxes were claimed to have been pre-ticked.
If there was one thing the GDPR set out to do it was to ensure that companies were up front and clear and explained what they were doing in simple concise language. And the big one, no more pre-ticked boxes.
If None Of Your Business is correct -- and the record fine from CNIL suggests they had a good point -- then it's a pretty silly way to fall foul of the law. I have forewarned several companies that their pre-ticked boxes are now illegal but you would expect Google would know this, wouldn't you?
As for the forced and unclear consents, I suspect they have a very good point because the tech giants have such a poor record on clearly summing up what they do with user data. They have become accustomed to all of us just clicking so we can get on with what we're doing. Now that there has been a sea change, however, they were unprepared.
Google is considering an appeal against the fine and it is likely that this is what it will do because, after all, that is what Google often does. Get fined, appeal, repeat.
Regular readers of this column will know that this is all part of a turning of the tide against the tech giants. EU citizens, and their governments, have been frustrated at the tech giants' attitude toward paying what many see as their full and fair share of tax and an unwillingness to take full responsibility for what happens on the platforms they earn billions from.
So, with Schrems having filed privacy complaints in Austria against a group of tech giants this week, it is clear that this is just the beginning. The much-awaited era of GDPR being swung into action against the tech giants is here. This really is just the beginning.