On November 30th, an EU antitrust regulator confirmed a current investigation into Google’s data collection, indicating continued interest in how the company accumulates and monetises information gathered on users. The inquiry particularly focuses on “data related to local search services, online advertising, online ad targeting services, login services, web browsers and others”.
Earlier this year, a French regulator said that “the world’s biggest search engine lacked transparency and clarity in the way it informs users about its handling of personal data and failed to properly obtain their consent for personalised ads”.
“The Commission has sent out questionnaires as part of a preliminary investigation into Google’s practices relating to Google’s collection and use of data. The preliminary investigation is ongoing”, commented one regulator to Reuters.
Google, however, insists that their data retrieval system is necessary, and a company spokesperson has said that the data is used to “make our services more useful and to show relevant advertising, and we give people the controls to manage, delete or transfer their data”.
Following on the heels of the EU’s inquiry, Britain’s Competition and Markets Authority has decided to launch their own investigation into the tech giant and is specifically interested in their acquisition of UK data science startup, Looker. A statement released by the CMA says the organisation “is considering whether it is or may be the case that this transaction, if carried into effect, will result in the creation of a relevant merger situation under the merger provisions of the Enterprise Act 2002 and, if so, whether the creation of that situation may be expected to result in a substantial lessening of competition within any market or markets in the United Kingdom for goods or services”.
Facebook’s practices are also set to be investigated, despite their claims of compliance with all European regulations. The company argues that data collection is an essential component, as it allows the service to design and provide a personalised experience for each individual user.
Though the justifications presented may sound legitimate, the Commission believes that Facebook and Google’s practices are serving to edge out competition from smaller entities. European Competition Commissioner Margrethe Vestager, who just recently began her second term, is dedicated to ensuring that tech giants comply with EU regulations.
Meanwhile, both of these digital goliaths seem to be entering a new phase of regulatory policy around the world, and Google could experience its toughest year yet in 2020 as it faces worldwide investigation. Even in the US, a country known for its generally loose data protection policies, the Justice Department and almost every US state attorneys general have initiated antitrust probes.
These companies are no stranger to data breaches, many of which have affected the everyday social media and internet user. Back in October of 2018, Facebook reported a breach of more than 50 million user accounts. Because of EU privacy laws, only an approximate 10 percent of those accounts were those of EU residents, and watchdogs were able to fine them upwards of 1.5 billion dollars.
Before this, and prior to the creation of the General Data Protection Law, Facebook was sued by campaign group Fair Vote UK on behalf of users whose data was pilfered without their knowledge or consent during the Brexit campaign. Cambridge Analytica-associated data firm, Aggregate IQ, undertook targeted ad work during the Brexit campaign for Facebook; Dominic Cummings, the Vote Leave Campaign Director, wrote a piece stating that data science had motivated the leave campaign and ultimately caused its victory. He also mentioned that they spent 98 percent of the marketing budget on “nearly a billion targeted digital adverts”. After investigation, AIQ was ultimately found not guilty, though Facebook is still on the hook for their work on this campaign, and Brexit is now a major headache in the UK and throughout the EU.
Kyle Taylor, Fair Vote UK’s Director, said “It is now abundantly clear the status quo with regard to how we hold internet giants to account does not work. The solution is urgent reform to properly regulate and oversee companies like Facebook. Because the breaches took place before the GDPR came into effect, the fines are simply not great enough to deter this behavior.”
A Toothless Enforcement Policy?
Since the GDPR went into effect across the EU in 2018, the European Commission has been increasingly interested in Google’s compliance with regulations. The protocol applies to all residents of EU member states, and was created to replace an outdated data protection directive from 1995. In theory, this law allows residents to access the data collected about them through a “data subject request” and can exercise a “right to be forgotten”, meaning if the subject decides to withdraw their data then the company is obligated to delete it.
Tech giants are only allowed to collect data for a specific business-related motivation, instead of gathering to hold onto it for an undetermined use. Despite Facebook’s claims that it would follow GDPR “in spirit”, the company seems to have just redirected its data policy by relying on users to opt in to certain practices and making it difficult for them to opt out.
The punishment for not complying with GDPR is steep and can lead to a fine of up to 4 percent of the company’s annual global revenue, although individual member states are able to determine their own penalties on a case-by-case basis. While this could be debilitating for small companies, it does not seem to be a significant deterrent for larger ones. Over the course of the last two years, however, Vestager has attempted to instil significant change by imposing fines that add up to over 8 billion euros and calling for a change in business practices.
Despite scrutiny and repercussions for their actions, critics maintain that companies such as Facebook and Google have emerged virtually unscathed for their data practices, begging the question: are existing enforcement measures enough?