The fine print: Big tech on the hunt for private data

As technological advances such as artificial intelligence (AI), big data, robotics, and interconnected devices (often referred to as “the Internet of Things”) are becoming an integral part of our existence, they appear to exert a growing influence on the global economy. However, current regulations don’t seem to keep up with the rapid development of technology. As a result, the law is too lenient on big tech companies that tend to scorn the fundamental rights of their customers.

Occasionally, some of these companies get caught red-handed and face the consequences. In 2017 the European Commission imposed a penalty of €2.4 billion on Google and Alphabet[1], and the General Court upheld the fine[2]. Unfortunately, such actions often appear to have little influence on the companies’ behavior in the long run.

Currently, several instruments (such as the GDPR and the NIS directive) are at hand to ensure that fundamental rights are not neglected in the course of implementing information systems. Additionally, numerous private institutions develop codes of conduct, frameworks, and other soft law regulations applicable to AI robots and other technologies. We have even seen many scholars attempt to analyze the impact these instruments produce in the legal field and other disciplines. Still, studies on their economic ramifications and actual ability to shape the behavior of major players are scarce.

The GDPR establishes some penalties and fines for infringement of the provisions or failure to comply with the obligations established in it. Those fines could go from €10 million or 2% (whichever is higher)[3] to €20 million or 4% (again, whichever is higher)[4] of the total worldwide annual turnover.

In theory, the financial fines proposed by the GDPR serve a dual purpose (protecting the rights of the data users and punishing or changing the behavior of the actors). In reality, however, they seem to fail to deliver the desired effects. In the aftermath of the Cambridge Analytica scandal, Facebook was fined $5 billion by the US Federal Trade Commission in 2019. The company was also ordered to implement a new privacy program[5]. Still, the $5 billion fine amounted only to one month’s worth of Facebook’s revenue, and it did not translate to a significant change in behavior. What’s even more ironic, as investors realized that the social media giant is invulnerable to sanctions like this, Facebook’s stock price increased by more than 1%[6].

Recently, the Austrian Data Protection Authority declared that the use of Google Analytics by Google constitutes an unlawful transfer of personal data. It was argued that the company transfers data to the US but is unable to protect it from “U.S. government surveillance.”[7] Even though experts claim the use of services like Google Analytics might be forbidden as a result, it all comes down to how fast Google and similar companies can adapt to regulatory changes.[8]

It is worth noting the GDPR sets guidelines for civil liability and compensation. According to one of the articles, any person who suffered material or non-material damage as a result of an infringement of the GDPR has the right to be compensated for the damage suffered[9]. It is also stated that any of the entities involved can be held liable, including the processor, which makes the article the first legal instrument with such a broad scope in this context[10]. Even the very concept of damage is open to broad interpretation. Furthermore, the GDPR leaves space for any other definition of damage caused in the light of other legislative acts, claiming no “prejudice to any claims for damage deriving from the violation of others rules in Union or Member state law.”[11] Member states are empowered to make the necessary rules for penalizing violations of the GDPR’s provisions. Penalties should be “effective, proportional, and dissuasive.”[12] Member states are to determine whether the nature of such a penalty is criminal or administrative[13] on the basis of national legislation[14]. In other words, non-compliance could be compared to tax fraud as it can be punished by both administrative penalties and criminal sanctions.

If big tech companies are so powerful they drive the industry or shape the digital economy, cybersecurity practices, and privacy policies, no existing penalties and fines may be severe enough to influence their behavior in the long run. This has also been discussed in the context of competition rules in a report published by the European Court of Auditors. One of the conclusions drawn in the report was that although fines may be very high, they don’t necessarily have to be an effective deterrent as it all depends on the turnover of the companies concerned[15]. Ultimately, it would be advisable to evaluate if GDPR and other ICT regulations can have a real economic impact on big companies.

If all this makes you wonder whether it’s safe to use our services, relax, it’s all good.

At Iagon, we believe it is vitally important that all your fundamental rights are protected. So regardless of the practices of companies, big or small, we will always strive to keep your privacy our number one priority.


  1. For “favouring its own comparison shopping service on its general results pages through more favourable display and positioning, while relegating the results from competing comparison services in those pages by means of ranking algorithms, Google departed from competition on the merits” ↩︎

  2. Available at https://curia.europa.eu/jcms/upload/docs/application/pdf/2021-11/cp210197en.pdf ↩︎

  3. GDPR Article 83 (4) ↩︎

  4. GDPR Article 83 (5) ↩︎

  5. Federal Trade Commission, ‘FTC Imposes $5 Billion Penalty and Sweeping New Privacy Restrictions on Facebook’ (24 July 2019) Available at www.ftc.gov/news-events/press-releases/2019/07/ftc-imposes-5-billion-penalty-sweeping-new-privacy-restrictions ↩︎

  6. Julia Carrie Wong, ‘Facebook to be fined $5bn for Cambridge Analytica privacy violations – reports’ The Guardian (San Francisco, 12 July 2019) Available at www.theguardian.com/technology/2019/jul/12/facebook-fine-ftc-privacy-violations
    ↩︎

  7. Jennifer Bryant, “Austrian DPA's Google Analytics Decision Could Have 'Far-Reaching Implications'” (International Association of Privacy Professionals, January 20, 2022), https://iapp.org/news/a/far-reaching-implications-anticipated-with-austrian-dpas-google-analytics-decision ↩︎

  8. Ibid ↩︎

  9. GDPR Article 82(1) ↩︎

  10. Voigt, Paul, and Axel Von dem Bussche. "The eu general data protection regulation (gdpr)." A Practical Guide, 1st Ed., Cham: Springer International Publishing 10 (2017): 3152676. P206 ↩︎

  11. GDPR Recital 146 ↩︎

  12. GDPR Article 84 ↩︎

  13. GDPR Recital 152 ↩︎

  14. Voigt, Paul, and Axel Von dem Bussche. "The EU general data protection regulation (GDPR)." A Practical Guide, 1st Ed., Cham: Springer International Publishing 10 (2017): 3152676. P209 ↩︎

  15. Special report 24/2020 European Court of Auditors. ↩︎

Tracking cookies? We will never take your recipe!
An overview of our Zero Cookie Tracking Policy.

Bibliography

Brookson, Charles, S. Cadzow, R. Eckmaier, J. Eschweiler, B. Gerber, A. Guarino, K. Rannenberg, J. Shamah, and S. Gorniak. "Definition of Cybersecurity-Gaps and overlaps in standardisation." Heraklion, ENISA (2015).

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

Directive 2016/1148/EU of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union (NIS)

European Court of Auditors, ‘The Commission’s EU merger control and antitrust proceedings: a need to scale up market oversight’ Special report 24/2020.

Federal Trade Commission, ‘FTC Imposes $5 Billion Penalty and Sweeping New Privacy Restrictions on Facebook’ (24 July 2019)

Jennifer Bryant, “Austrian DPA's Google Analytics Decision Could Have 'Far-Reaching Implications',” Austrian DPA's Google Analytics decision could have 'far-reaching implications' (International Association of Privacy Professionals, January 20, 2022).

Judgement of the Court in Case T-612/17 Press and Information Google and Alphabet v Commission (Google Shopping)

Julia Carrie Wong, ‘Facebook to be fined $5bn for Cambridge Analytica privacy violations – reports’ The Guardian (San Francisco, 12 July 2019)

European Court of Auditors, ‘The Commission’s EU merger control and antitrust proceedings: a need to scale up market oversight’ Special report 24/2020.

Voigt, Paul, and Axel Von dem Bussche. "The EU general data protection regulation (GDPR)." A Practical Guide, 1st Ed., Cham: Springer International Publishing 10 (2017): 3152676. P206