Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security //

Compliance

2/7/2019
09:50 AM
Joe Stanganelli
Joe Stanganelli
Joe Stanganelli
50%
50%

Google's GDPR Fine: What It Means for Jurisdictional Arbitrage

In the wake of France's recent euro 50 million GDPR fine against Google, enterprises should consider GDPR-enforcement considerations when determining the base of their EU operations.\r\n\r\n

When large organizations decide where to base their operations, a jurisdiction's data-regulation enforcement could become as significant a consideration as its tax treatment, if the EU's first multi-million-Euro GDPR fine is any indication.

On January 21, France's Data Protection Authority (DPA) -- the National Data Protection Commission (CNIL) -- issued a €50 million (US$56.7 million) fine against Google for unlawfully processing user data, "particularly for ads personalization purposes."

Lawyers and industry pundits have long anticipated Google getting slapped with a GDPR fine at some point -- paricularly since None of Your Business, a data-privacy organization operated by way of activist and serial litigant Max Schrems, filed the relevant GDPR complaint against Google on May 25, 2018 -- the day GDPR went into effect. What may have been unanticipated -- and what matters more -- is where the fine came from.

No such Irish luck Google Ireland Ltd. has long existed as Google's headquarters for the EMEA region (Europe, the Middle East, and Africa) to satisfy the requirements of a tax-shelter mechanism. Incidentally, it is also generally considered Google's EU headquarters for data-protection purposes. Normally, per GDPR's "one-stop shop" rubric, the DPA of the nation where the entity's operations are directed will typically be the enforcing party. In this case, however, the CNIL determined that as of the day it began proceedings against Google, Google's Irish subsidiary "did not have a decision-making power on the processing operations carried out in the context of the operating system Android and the services provided by [Google] in relation to the creation of an account during the configuration of a mobile phone."

No doubt as part of maintaining the headquarters status of its Irish subsidiary for tax purposes, Google naturally designated the same subsidiary as its headquarters for data-protection enforcement purposes -- and GDPR apparently caught the tech giant with its pants down. While Google Ireland Ltd. may have been actively controlling and even complying with other GDPR-related data and data activities, CNIL charged that Google's data practices involving Android settings were effectively controlled from the US -- bypassing Ireland and all other EU member states. And, indeed, the initial complaint in this case was filed against US-based Google LLC.

In a vacuum, all these factors put GDPR-enforcement jurisdiction up for grabs. As the complaint was filed in France, France's CNIL handled it.

"The CNIL [contacted] other EU DPAs, including the Irish DPA, in order to determine whether any other DPA was the lead authority and should pursue the investigation and enforcement," Deborah Shinbein Howitt, director at Denver law firm Lewis Bess Williams & Reese, told Security Now. "[N]either the Irish Data Protection Commission nor any other EU DPA considered itself to be the lead supervisory authority for the US entity Google LLC, so the CNIL was then clear to proceed."

Does member-state jurisdiction matter?
In a perfect rule-of-law world, untainted by individual human prejudices and feelings, the dictates of GDPR itself (variances between individual member-state data-privacy and data-protection laws enacted to enable or complement GDPR notwithstanding) would be evenly enforced in a consistent manner across all EU member-state DPAs. (See GDPR: Broad, Complex & Coming Soon.)

But this is not a perfect world. Some member states are more prickly than others when it comes to data privacy. Shinbein Howitt particularly points to Germany, among others, as having a reputation for being stricter about both data-privacy rulemaking and data-privacy enforcement. Austria, for its part, is noted for being the only EU member state to reject GDPR for not going far enough; Austria was also the first country to publicly issue a GDPR fine -- against a small business for not providing sufficient notice that a CCTV security camera was recording part of a public way. (See: GDPR Fines: Some Bark, Little Bite.)

France, meanwhile, is far from best friends with Google -- and may feel that Google owes her. Nineteen months ago, a French court ruled in Google's favor against the French government in a back-taxes case worth approximately €1.11 billion ($1.27 billion) -- a case that, incidentally, have arisen from Google's EMEA tax-avoidance mechanism. French politicos may well feel that Google owes France its due one way or another.

"Companies often establish their headquarters in a certain location for tax reasons or other favorable regulation. At this time, it seems that companies may wish to start taking data-privacy regulation into consideration when making these decisions as well," said Shinbein Howitt. "Considering the magnitude of potential GDPR fines, particularly for large companies, the consequences of choosing a location for privacy reasons could be as significant as the choices often made to minimize tax liability."

Indeed, for certain violations of GDPR, the maximum fine is the higher of either €20 million or 4% of the entity's annual revenue. Because Google is, well, Google, the latter very definitely applies. While the €50 million fine represents only a drop in Google's bucket, CNIL could conceivably fine Google 90 times as much based on Google's past four quarters.

Related posts:

—Joe Stanganelli is managing director at research and consulting firm Blackwood King LC. In addition to being an attorney and consultant, he has spent several years analyzing and writing about business and technology trends. Follow him on Twitter at @JoeStanganelli.

(Disclaimer: This article is provided for informational, educational and/or entertainment purposes only. Neither this nor other articles here constitute legal advice or the creation, implication or confirmation of an attorney-client relationship. For actual legal advice, personally consult with an attorney licensed to practice in your jurisdiction.)

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Commentary
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
News
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
News
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Your new device is too complex. Me stick with iWheel.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21312
PUBLISHED: 2021-03-03
GLPI is open source software which stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package. In GLPI before verison 9.5.4, there is a vulnerability within the document upload function (Home > Management > Documents > Add, or /front/documen...
CVE-2021-21313
PUBLISHED: 2021-03-03
GLPI is open source software which stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package. In GLPI before verison 9.5.4, there is a vulnerability in the /ajax/common.tabs.php endpoint, indeed, at least two parameters _target and id are not proper...
CVE-2021-21314
PUBLISHED: 2021-03-03
GLPI is open source software which stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package. In GLPI before verison 9.5.4, there is an XSS vulnerability involving a logged in user while updating a ticket.
CVE-2021-27931
PUBLISHED: 2021-03-03
LumisXP (aka Lumis Experience Platform) before 10.0.0 allows unauthenticated blind XXE via an API request to PageControllerXml.jsp. One can send a request crafted with an XXE payload and achieve outcomes such as reading local server files or denial of service.
CVE-2021-27935
PUBLISHED: 2021-03-03
An issue was discovered in AdGuard before 0.105.2. An attacker able to get the user's cookie is able to bruteforce their password offline, because the hash of the password is stored in the cookie.