WASHINGTON— In response to the announcement that the French data protection authority, the Commission Nationale de l’Informatique et des Libertés (CNIL), has fined Google 50 million euros for violating the General Data Protection Regulation (GDPR), the Center for Data Innovation released the following statement from its director, Daniel Castro:
Today’s announcement underscores why the GDPR is fundamentally not a viable model for regulating the digital economy. The GDPR requires companies to follow a complex and ambiguous set of rules, and it imposes substantial fines on businesses that step across these invisible lines. Some of these demands are even contradictory, such as requiring companies to be both comprehensive and concise when detailing how they use consumer data. These rules have introduced confusion and uncertainty into the digital economy while offering relatively few benefits to consumers.
The fine announced today sets a dangerous precedent. Penalties that target good-faith efforts to comply with the law, rather than those who deliberately or negligently misuse data, undermine the goals of the GDPR. They force companies to focus on check-the-box compliance, rather than making meaningful changes that will bring greater control of personal information to consumers or encourage greater investments in innovation.
Notably, CNIL did not identify any specific instances of consumer harm or malicious intent, yet it still imposed a substantial fine rather than merely seeking corrective behavior. Neither did it outline specific steps that the company could take to achieve compliance. This lack of clarity, which ironically is the chief complaint from regulators about the private sector, will not help companies achieve compliance. While there are many talented lawyers and engineers working in the tech industry, they aren’t mind readers.
As the United States and other countries consider pursuing new data protection laws, the failures of the GDPR should serve as a roadmap for some of the worst pitfalls to avoid.