Despite its lobbying, Google can’t seem to win in Europe. The French privacy watchdog has blown through the US internet giant’s claim to comply with data-protection legislation, and its threat to pull its news-aggregation service in the region will likely prove far less effective than the company expects.
Google’s troubles with the European Union’s antitrust authorities are well-known: the company was fined 2.4 billion euros (Dh10bn) in 2017 for abusing its dominance in price-comparison services, and a further 4.3bn euros the following year for pushing software bundles on Android phone makers. Another antitrust probe, this time involving its AdSense advertising product, is under way.
But there are two more important areas where the European attack on Google is still in its infancy: Privacy and intellectual property. This is changing.
Monday’s decision by the French data protection agency, CNIL, is an important salvo on the first front – even if the regulator’s 50 million-euro fine is a rounding error compared with the $11bn of quarterly revenue Google’s parent, Alphabet, generates in Europe, the Middle East and Africa.
After Europe’s General Data Protection Regulation came into effect in May, 2018, tech giants such as Google, Facebook and others made a show of complying with the letter of the law, demanding consent from users for various data collection practices. But they never wholeheartedly complied with the GDPR’s key demand of privacy by design and by default.
It’s not easy for a user to opt out of being tracked. In June, the Norwegian Consumer Council, the country’s state-funded consumer protection agency, documented Google’s and Facebook’s efforts to discourage users from exercising their privacy rights.
The internet giants’ reluctance to comply was obvious to privacy advocates from the start. On May 25, a group calling itself “None of Your Business”, led by Austrian lawyer Max Schrems, filed a series of complaints to different European privacy authorities, seeking to strike down the companies’ practice of forced consent. The bureaucratic wheels turn slowly, but now the group and its French ally, La Quadrature du Net, have their first result.
So far, CNIL has only addressed one specific complaint against Google – that the process of creating a Google account, more-or-less essential to use an Android phone, rushes users through an opaque consent process instead of allowing them freely to choose understandable privacy settings. The watchdog ruled that consent obtained in this way isn’t sufficiently informed – nor is it specific or unambiguous. The user doesn’t really understand what data they have agreed to give up, and for what purpose.
Whether the CNIL decision will open the floodgates and GDPR rulings follow against other internet giants is uncertain. It requires courage for national data protection authorities to go head-to-head with a juggernaut like Google, which spends millions of dollars on lobbying, holds hundreds of meetings with EU officials, and can afford the best legal representation and the lengthiest trials.
In France, CNIL head Isabelle Falque-Pierrotin is leaving her post at the end of this month and won’t face Google’s pushback. And as of Tuesday, the company is moving its entire European operation under the jurisdiction of the Irish data protection authority, which, as La Quadrature du Net notes, is “understaffed and drowning in complaints”.
It is, however, possible that activist privacy regulators in other European countries still will take on Google in coordination with the Irish authority. The privacy war is only just beginning, and there are plenty of committed data protection advocates in Europe to make sure it doesn’t peter out.
The intellectual property front is only just beginning to open up. European copyright rules that may force Google and others to pay for carrying snippets of copyrighted content – such as news stories – haven’t taken effect yet. It will be up to EU member states’ national governments to decide how tough they should be.
Google is trying to head off this threat by threatening to pull its Google News service from all of Europe, just as it did in Spain in late 2014 after that country passed legislation requiring Google to pay publishers.
The threat, however, isn’t likely to be effective. In Spain, studies found that the exit of Google News reduced traffic to smaller news sites, but not to the most popular ones, which saw more readers come directly to their landing pages. Even if one disregards the higher comparative lobbying power of bigger media outlets, news aggregation is a competitive business. Last year, as Facebook pulled back from news distribution, other services – including Google’s – and publishers’ own apps and landing pages quickly picked up the slack.
Publishers aren’t likely to miss Google News much if it leaves: The fundamental fact of their business is that people look for news, and they will get it from other sources, including aggregators more willing to share ad revenue than Google.
It’s no accident that Google is fighting these skirmishes, as well as a battle over tax, in Europe. The US behemoth’s way of doing business is incompatible with the region’s emphasis on satisfaction for all stakeholders.
I doubt that Google will be able to avoid changing its behavior in the long-term, just as Uber had to rein in its culture of fighting regulation. Google has a lot of money for damage control, but these attacks will keep coming. It may be comforting to see them as mosquito bites. But Europe can be an uncomfortably mosquito-infested place for even a thick-skinned elephant the size of Google.