The General Data Protection Act has been making headlines for quite some time now, especially the potential fines that can be levied for non-compliance. Since the law’s recent enactment in May 2018, legal professionals and privacy advocates around the world have been waiting to see how countries will enforce GDPR violations. On January 21, 2019, France made one of the most significant moves to date by handing down an enormous fine to a major technology company who they deemed violated GDPR compliance protocols.

While there are many components of the GDPR, the main purpose of the law is to provide individuals with greater data privacy protections and control.  Organizations that handle personal consumer data have several obligations under the law. This includes providing individuals with easy access to their collected data, obtaining consent before data collection, and having a way for users to delete data. The GDPR forces organizations to reevaluate and modify their data collection practices, policies, and security protocols. Transparency and easy access are key components of a compliant privacy model. Fines for GDPR violations can be up to four percent of an organization’s global revenue.

CNIL, the French agency that handles privacy issues, fined Google roughly $57 million for GDPR violations. Two privacy advocate groups claimed that Google was not fulfilling the GDPR’s data privacy standards pertaining to transparency, information disclosure, and consent. Google’s alleged violations included:

• Failure to provide users with a clear understanding on how the organization collects and uses their personal information
• Failure to obtain consent from users to show personalized advertisements based on their collected data
• Having insufficient data consent policies and failing to provide enough information about these policies

Specifically, the CNIL concluded that Google’s option allowing users to change their privacy setting was insufficient. Google automatically authorizes personalized advertisements for accounts and mandates that individuals consent to all of Google’s terms in order to use their services. In order to obtain compliance, Google may need to modify current policies, provide more easily understandable information about their policies, gain informed consent before ad targeting users, and give users a clear way to opt-out of personalized advertisements or delete personal data. While this is a big step, some people believe that the fines are not large enough because Google’s revenue is much higher and their violations are greater than what the agency noted.

Representatives for Google indicated that the company is reviewing the decision and plans to appeal the fine. Google believes that they have complied with the GDPR and utilize transparent consent practices. Whether Google’s appeal is successful will help set the bar for what is acceptable compliance under the GDPR. If Google is successful, many other organizations will likely try to appeal future fines. If the fine stands, these organizations will probably review and update compliance efforts to avoid violations.

As suspected after enactment of the GDPR, global influence is unavoidable. Since Google is a U.S. based organization, the France ruling will increase the pressure for a comprehensive federal data privacy law. Many Americans and lawmakers have advocated for a clear and specific data privacy law for years. This could include provisions that clearly outline the FTC’s privacy enforcement power or even create an entirely new data privacy administration. While 2019 will likely be the year for further defining GDPR compliance and violations, it may also be when the U.S. finally makes significant steps in the realm of data privacy.