Big Tech vs GDPR

The world’s biggest tech firms are still falling behind on data privacy. They are either at loggerheads with GDPR or with each other, like the public spat between Apple and Facebook. In recent years, many big tech companies have increasingly been found to have mishandled consumer data or mining data without their consent or faced serious security breaches resulting in data leaks of millions of consumers. Despite privacy regulations and public scrutiny, big businesses like Google, Facebook, Twitter, and Amazon continue their unchecked data collection practices. 

This blog will highlight the regulatory scrutiny faced by the tech giants Google, Facebook, Amazon, and Apple with regards to violation of the GDPR.

Three years ago, Europe introduced the world’s toughest data privacy legislation – the General Data Protection Regulation (GDPR). It paved the way for data privacy to be at the forefront of the internet economy and for similar regulations to come up around the globe.

In December 2020, a leaked document sent shock waves among the regulatory authorities in the EU when tech giants were found to be spending big money in lobbying against and undermining existing frameworks. 

For years, tech giants have lobbied against federal privacy regulations. Tech giants fought hard to oppose the landmark California Consumer Protection Act (CCPA), the US’s first state-level consumer data privacy legislation. 

But after California rolled out their law, leading to many other states drafting their privacy laws, tech companies quickly changed their stance. They started lobbying for “watered down” state privacy laws for their long-term goal of passing a business-friendly, less stringent federal data privacy law.

Privacy experts stress that enforcement against the big names has been sparring and hesitant despite the years of investigations by the national regulators. Facing major criticism is Ireland’s Data Protection Commission (DPC) the lead regulator in Europe. The biggest names in tech businesses including Google, Facebook, Apple have their European headquarters in Ireland, which places the DPC at the core of Europe’s privacy battle with big tech. 

The DPC also faced severe criticism from privacy advocate Max Schrems for its inefficiency in GDPR enforcement. Schrems, whose long-standing case against Facebook resulted in a landmark Schrems II judgment, has been a long-time critic of the Irish DPC.

Google is a tech giant that has faced exceptional GDPR fines in comparison with its other Silicon Valley counterparts. In 2019, the French data protection authority CNIL had fined Google  €50 million, for not properly disclosing to users how data is collected across its services to target ads. Google faced yet another fine in 2020 when CNIL issued a €60 million fine on Google LLC and €40 million on Google Ireland for their failure to comply with the French cookie consent law. 

Reports since 2018, however, show that there is hardly any enforcement involving big tech firms to date even though regulators have received numerous complaints and initiated multiple investigations. In 2018, consumer groups from seven member states of the European Consumer Organization or BEUC filed GDPR complaints against Google for its location-tracking practices. 

This came about as a result of a report published by BEUC’s Norwegian member which showed how extensively Google used data location tracking and how it can endanger consumers’ privacy. Google was found to use deceiving techniques, confusing user interface design (or “dark patterns”) to nudge users into “making privacy-intrusive and non-informed choices for the company’s own benefit and control”. 

In November 2020, the BEUC released a report that noted the “current lack of effectiveness in the application of the GDPR”. The report stated that the cross-border nature of Google’s business resulted in a serious lack of redressal of the many complaints filed.

According to the 2020 annual report from the Irish DPC, there are 27 ongoing cross-border inquiries into big tech, including two into Google. The DPC has announced that 2021 is set to see some important draft decisions as a dozen privacy cases involving big tech companies are on track. 

The same report notes that Facebook and its associated companies have 14 ongoing investigations on them. In December 2020, the DPC submitted a draft decision in a case involving WhatsApp, a Facebook subsidiary, for approval to fellow EU regulators.

Another set of cases that are nearing a decision looks at allegations from a privacy-advocacy group that users are forced to consent to Facebook’s terms and conditions, and whether the company needs personal data for advertising to provide its service.

The social network company is also waiting on a decision regarding if it will have to suspend at least some data transfers from the EU to servers in the US. In September 2020, the DPC sent Facebook a preliminary order to suspend data transfers. According to the Schrems II ruling from the EU’s top court, cross-border data transfers present concerns about a breach of data privacy and surveillance by the authorities of states where it is transferred to.

Facebook challenged the order and the court dismissed the company’s challenge in 2021. So, the DPC decision is nearing an end, and may finally force Facebook to relook its practices or suspend data transfers. If it fails to comply with the order, DPC has the power to impose a GDPR fine of up to 4% of its annual revenue or $2.8 billion on Facebook.

The most recent GDPR scrutiny that could embroil Facebook is the data breach reported by the Business Insider. The leaked data includes personal information of over 533 million Facebook users from 106 countries, such as phone numbers, Facebook IDs, full names, locations, and email addresses. The DPC has initiated a voluntary inquiry into the same.

Amazon hit the GDPR news in 2020 along with Google when CNIL dropped record fines on the tech firms. Amazon was fined €35 million for setting cookies on users’ devices without following GDPR consent guidelines. 

Its French site (Amazon.fr) displayed a cookie banner that informed the site visitors that they agreed to its use of cookies by using the website. CNIL noted that this did not comply with the transparency or consent requirements under the GDPR. Amazon was also penalized for setting advertising cookies without prior user consent or providing users with any information regarding the same.

The same year, privacy rights group ‘noyb’ filed a complaint against Amazon with the German regulators for email security issues. The complaint raised that Amazon’s internal email security did not encrypt emails sent between the platform’s third-party sellers and their customers.

The European Society for Data Protection also filed a lawsuit against Amazon over its continued use of the EU-US Privacy Shield agreement for cross-border data transfer even after it was invalidated by Schrems II. 

In contrast to Apple’s privacy-friendly image, the company has been under multiple investigations since 2018. The Irish DPC opened up an investigation in 2018 regarding how Apple processes users’ personal data for targeted advertising, and whether its privacy policy is transparently informing the users of the same. In 2019, Apple faced another investigation on whether they comply with the GDPR concerning an access request from a customer.

In recent years, various privacy and advocacy groups have raised complaints against Apple. Noyb lodged complaints with German and Spanish data protection authorities for storing users’ data without their consent. According to the complaint, Apple’s IDFA (Identifier for Advertiser), a code that is automatically generated on every iOS, violates privacy laws on digital tracking as users are not asked for prior consent for the initial storage of the identifier.

The French startup lobby group France Digitale filed a complaint with CNIL regarding Apple’s personalized ads option which is set on by default on iOS 14 devices. The complainant alleged that Apple collects user data for ad tracking services and shares it with affiliated companies without explicitly asking permission from users.

The move represents the escalating tension between Apple and France Digitale regarding Apples’ privacy updates and the introduction of app tracking transparency feature. It is also interesting considering that Apple has received praise from privacy advocates for limiting ad-tracking for apps. 

For the most part, Twitter has not faced any major regulatory scrutiny under the GDPR. But in 2020, Ireland’s DPC issued a €450,000 fine on Twitter for failing to promptly report and document a data breach.

The GDPR mandates that data breaches have to be notified to the relevant supervisory authority within 72 hours of the controller becoming aware of the breach. Businesses also are required to document the data involved in data breach and how they’ve responded to the security incident. Twitter failed on both counts. This is the first cross-border GDPR enforcement action taken against a tech giant under the GDPR. But, Twitter was not fined for the data breach itself, which was discovered in January 2019. 

The same year the Spanish AEPD imposed a $30,000 fine on Twitter for violating regulations on the use of cookies. Twitter dropped cookies on user’s devices as soon as they accessed the website, even when the users did not perform any other action. AEPD held that Twitter’s cookie banner stated the user accepts the cookie policy by using the website’s services and did not provide any further link within the banner to reject or manage the use of cookies.

Fast-track your compliance 

As regulatory authorities are clamping down on big and small businesses, you should get ahead with privacy compliance.

If you’re among the many businesses that are trying to get their heads around privacy laws like the GDPR, CCPA, CNIL, or LGPD, you should check out CookieYes. It is a cookie consent solution that will help you achieve full compliance in no time.

With CookieYes, you can easily add a fully customizable cookie consent banner, scan your website for cookies and automatically block third-party. No complicated codes or UI.

With a simple dashboard, you can geo-target, auto-translate the banner, and record user consent for proof of compliance. 

The free privacy policy generator and the cookie policy generator will allow you to create policies exclusively for your business, all in a few clicks.

Sign up for free today!