Google and Uber prepare for the EU GDPR after facing fines

On August 29, 2017, through self-certification, Google affirmed adherence to the Privacy Shield frameworks designed jointly by the US Department of Commerce, and the European Commission and Swiss Administration. The Privacy Shield framework establishes protocol for the secure transfer of personal data from the EU and Switzerland to the US.

Google will apply Privacy Shield specifications and safeguards to publicly comply with its data protection requirements, which are enforceable under US law.

Google’s adoption of Privacy Shield specifications comes after the European Commission (EC) imposed a €2.42 billion fine for breaking EU antitrust rules. The EC determined that, throughout the entire European Economic Area (EEA), Google leverages its dominance in general Internet search to illegally promote its comparison shopping tool (Google Shopping) while demoting rivals.

Although Google intends to appeal the decision, the company must end said illegal practices within 90 days and avoid comparable antitrust-related activities. Furthermore, during an initial 60-day probation, Google must keep the EC updated on its actions, followed by a regular reporting schedule.

Google’s self-certification and adherence to the Privacy Shield shows its inclination to comply with the EC and, by extension, the imminent General Data Protection Regulation (GDPR).

Google–EC altercation a sign of things to come under the GDPR

According to the EC, the fine accounts for the duration and gravity of the infringement, based on its 2006 guidelines for fines. It was “… calculated [based] on … the value of Google’s revenue from its comparison shopping service in the 13 EEA countries concerned.” The fine serves as a warning to companies of all sizes to avoid breaking antitrust laws or face harsh penalties.

Brian Bandey – a doctor of law, and a leading expert in international IP, data protection, and e-safety law – claims that the GDPR will adopt a similar approach to the EC when it comes to privacy breaches. “The EU States hold the concept of individual personality and their consequent rights very highly,” he said. “In a sense, that is the moving force behind the GDPR.”

Facebook fined for unlawfully collecting user data

The Spanish Agency for Data Protection, AEPD, fined Facebook €1.2 million ($1.44 million) for impinging upon the privacy rights of millions of users in Spain for its advertising initiatives. The agency asserts that at least three times the social media giant collected sensitive information about its members – including gender, religious beliefs and personal tastes – without telling them the purpose. “Facebook’s privacy policy contains generic and unclear terms,” the AEPD stated.

The AEPD shunned Facebook for tracking members’ browsing history on third party sites within its portal and for using cookies to ascertain nonmembers who “Liked” certain content on other websites. The company is also under fire for allegedly failing to delete user accounts for more than 17 months after members closed them.

Spain is just one of several countries – including Belgium, France, Germany and the Netherlands – that are probing Facebook for their data privacy practices. Facebook and Google have each experienced recent crackdowns on their cybersecurity practices due to their sheer sizes. How do you levy a punitive dent if company earnings are so high? The upcoming GDPR will make companies large and small think twice about privacy to avoid fines of up to €20 million or 4% of their annual global revenue.

Uber to implement a wide-ranging privacy program

On August 15, 2017 the US Federal Trade Commission (FTC) announced that Uber Technologies Inc. settled allegations that it failed to protect the personal information of drivers and passengers.

News broke in late 2014 that Uber employees were inappropriately accessing customer data. The company developed an automated system to monitor employee access to this data in December 2014, but the FTC claims it underused it. A breach in customer data stored by a third-party Cloud provider also raised questions about Uber’s approach to privacy.

To guarantee FTC compliance, Uber has agreed to conduct a privacy audit every two years for the next 20 years. Two weeks after the settlement, Uber removed a function allowing its app to collect user location data up to five minutes after a car ride. Users and privacy advocates criticized this feature after it was added in November 2016 due to privacy concerns, and because it forced users to provide location data all the time or not at all.

Joe Sullivan, Uber’s chief security officer, is working to improve the company’s privacy, security, and transparency. He claims that, previously, Uber was committed to privacy but did not have adequate expertise.

Data privacy is vital

The EU GDPR comes into effect in May 2018, so US companies of all sizes should take heed of Google and Uber’s situations and act appropriately to avoid penalties. Any organization that processes EU residents’ personal data has only a short time to comply with the Regulation. Ignoring the GDPR or getting compliance wrong will have costly repercussions.

Get started today

With less than nine months left to comply with the Regulation, it’s time to start preparing. IT Governance offers all the products and services you need to help implement your EU GDPR project.

A good place to start your compliance project is with training. With our Certified EU General Data Protection Regulation Foundation (GDPR) Online Training Course, you will learn from experts how the GDPR will affect your organization and get an understanding of how to begin an implementation path to ensure compliance.