France fines Google another €150 million

The French antitrust authority has fined Google €150 million for applying opaque and difficult to understand rules in an inconsistent manner.

The Autorité de la Concurrence is now pressing the internet giant to clarify the rules and working of Google Ads, as well as the accounts suspension procedure. Google has said it will appeal the decision in the country where it has faced regular criticism and fire.

“The way the rules are applied give Google a power of life or death over some small businesses that live only on this kind of service,” said Isabelle de Silva, President of the watchdog.

While Google has a significant market share position in the country, in the region of 90%, it seems there is not much the search giant can take away from this decision aside from wide-sweeping changes.

Not only are the rules being challenged in terms of the complexity and accessibility, but the operations of the company are also being heavily criticised. Strict and complex rules are not necessarily a bad thing, assuming they are applied in a consistent and predictable manner. This does not seem to be the case here, which will perhaps be the most frustrating area for French businesses who just want to make money.

Although this is news today, what should be noted is that the investigation was launched four years ago. Gibmedia, a company which operates a range of websites including weather forecasts, challenged the rules after Google suspended its account immediately and without explanation. This might be seen as a win for Gibmedia, though the fact it took four years for French authorities to come this conclusion is nothing short of embarrassing.

Ericsson gets a $150 million bargain on its corruption fine from the US

Swedish kit vendor Ericsson got a $150 early Christmas present from US authorities after its fine for violating corruption laws was finally revealed.

The consequence of being found guilty of using back-handers to grease the wheels of commerce in Djibouti, China, Vietnam, Indonesia and Kuwait as recently as Q1 2017 is a fine of SEK1.06 billion. But since Ericsson had already accounted from a fine of SEK 11.5 billion that means it now has 150 million bucks more than it expected to. It can now spend that bonus wedge on Christmas presents which, of course, it will account for in a transparent and correct manner.

To be fair to Ericsson this is probably common business practice in some or all of those countries, but the trick is not to get caught isn’t it? Both the US Department of Justice and the Securities and Exchange Commission have had a piece of this action and seems to have split the winnings equally, so Christmas should be fun there too.

The DoJ is trousering 520,650,432 in return for promising to drop all charges if Ericsson keeps its hands clean for the next three years. Presumably, if Ericsson does comply and the charges are dropped, the DoJ won’t pay back the half a bil in spite of Ericsson no longer being legally guilty of doing anything wrong. That makes the whole thing smell like state extortion, but what do we know?

Meanwhile the SEC prefers to round its takings to the nearest 10k and is pocketing $539,920,000, which hilariously includes $81,540k in interest. This fine seems to be for the same activities so it’s not clear why Ericsson has to pay it twice. Maybe the fine was always going to be around a bil and the DoJ and SEC couldn’t agree on jurisdiction, so decided to split it down the middle.

“The DoJ proceeding is a criminal enforcement action and the SEC proceeding is a civil enforcement action,” explains the Ericsson announcement. “The agencies resolve their investigation independently of one another using their own discretion and applying different standards of proof.  As a result, the DoJ and SEC have come to different conclusions based on the same facts.”

“I am upset by these past failings,” said Ericsson CEO Börje Ekholm. “Reaching a resolution with the US authorities allows us to close this legacy chapter. We can now move forward and build a stronger company. The settlement with the SEC and DOJ shows that we have not always met our standards in doing business the right way. This episode shows the importance of fact-based decision making and a culture that supports speaking up and confronting issues. We have worked tirelessly to implement a robust compliance program. This work will never stop.”

“Through slush funds, bribes, gifts, and graft, Ericsson conducted telecom business with the guiding principle that ‘money talks.’” said U.S. Attorney Geoffrey Berman. “Today’s guilty plea and surrender of over a billion dollars in combined penalties should communicate clearly to all corporate actors that doing business this way will not be tolerated.”

“Implementing strong compliance systems and internal controls are basic principles that international companies must follow to steer clear of illegal activity,” said Don Fort, Chief of IRS Criminal Investigation.  “Ericsson’s shortcomings in these areas made it easier for its executives and employees to pay bribes and falsify its books and records.  We will continue to pursue cases such as these in order to preserve a global commerce system free of corruption.”

So the IRS got a piece of the action too – nice. Here are the specific pieces of naughtiness Ericsson admitted to committing to the DoJ, the charges for which, don’t forget, will probably be dismissed in three years’ time.

Between 2010 and 2014, Ericsson, via a subsidiary, made approximately $2.1 million in bribe payments to high-ranking government officials in Djibouti in order to obtain a contract with the state-owned telecommunications company valued at approximately €20.3 million to modernize the mobile networks system in Djibouti.  In order to effectuate the scheme, an Ericsson subsidiary entered into a sham contract with a consulting company and approved fake invoices to conceal the bribe payments.  Ericsson employees also completed a draft due diligence report that failed to disclose the spousal relationship between the owner of the consulting company and one of the high-ranking government officials.

In China, between 2000 and 2016, Ericsson subsidiaries caused tens of millions of dollars to be paid to various agents, consultants and service providers, a portion of which was used to fund a travel expense account in China that covered gifts, travel and entertainment for foreign officials, including customers from state-owned telecommunications companies.  Ericsson used the travel expense account to win business with Chinese state-owned customers.  In addition, between 2013 and 2016, Ericsson subsidiaries made payments of approximately $31.5 million to third party service providers pursuant to sham contracts for services that were never performed.  The purpose of these payments was to allow Ericsson’s subsidiaries in China to continue to use and pay third party agents in China in contravention of Ericsson’s policies and procedures.  Ericsson knowingly mischaracterized these payments and improperly recorded them in its books and records.

In Vietnam, between 2012 and 2015, Ericsson subsidiaries made approximately $4.8 million in payments to a consulting company in order to create off-the-books slush funds, associated with Ericsson’s customers in Vietnam, that were used to make payments to third parties who would not be able to pass Ericsson’s due diligence processes.  Ericsson knowingly mischaracterized these payments and improperly recorded them in Ericsson’s books and records.  Similarly, in Indonesia, between 2012 and 2015, an Ericsson subsidiary made approximately $45 million in payments to a consulting company in order to create off-the-books slush funds, and concealed the payments on Ericsson’s books and records.

In Kuwait, between 2011 and 2013, an Ericsson subsidiary promised a payment of approximately $450,000 to a consulting company at the request of a sales agent, and then entered into a sham contract with the consulting company and approved a fake invoice for services that were never performed in order to conceal the payment.  The sales agent provided an Ericsson employee with inside information about a tender for the modernization of a state-owned telecommunications company’s radio access network in Kuwait.  An Ericsson subsidiary was awarded the contract valued at approximately $182 million; Ericsson subsequently made the $450,000 payment to the consulting company and improperly recorded it in its books.

There was clearly a fair amount of dodgy stuff going on in the above cases, but none of it is especially shocking. Under-the-table payments are an endemic issue everywhere in the business world and the trick is to launder them such that they look legit. Ericsson clearly failed to do this and that’s really what it’s being punished for.

But nobody seems to be questioning the US’s jurisdiction in prosecuting this matter. None of the back-handers were paid in the US or even seemed to involve US companies, so why is the US policing this matter? Maybe the answer lies in the fines, none of which will apparently find their way to the countries supposedly corrupted by all this. Even with a $150 million discount, the US authorities are now the ultimate beneficiaries of Ericsson’s naughtiness.

Vodafone Idea threatens closure over $13 billion fine

Vodafone Idea has stated it will shut-down its business unless relief is offered by the Indian Government for the $13 billion demands which have been directed at the firm.

Speaking at a conference in New Delhi, Vodafone Idea Chairman Kumar Mangalam Birla has threatened to compromise the competitive landscape in India even further in light of the monstrous spectrum bills which have been handed to the telcos. This is an argument which has been on-going for more than a decade, though the penalties and interest fees may well cripple Vodafone Idea.

“If we are not getting anything then I think it is end of story for Vodafone Idea,” said Birla. “It does not make sense to put good money after bad. That would be end of story for us. We will shut shop.”

This dramatic statement from the Chairman specifically links back to a dispute concerning spectrum licence fee payments, as well as additional interest and penalties. Ultimately, the telcos could be liable for an eye-watering 1.47 Indian rupees, roughly $21 billion. Looking at the bigger picture, this is further evidence the Indian Government and the Telecom Regulatory Authority of India (TRAI) is unable to manage the market effectively.

Looking at the fine, the Indian Government has stated the licence for spectrum requires the telcos to had over a proportion of revenues during the period which the licence has been held. The debate is over how much is owed, as the telcos seem to believe it should only be revenue associated with the spectrum, while the Government does not.

The saga itself was elevated to the High Court, with the Judge ruling in favour of the Government. With the monstrous bill standing, both Vodafone Idea and Bharti Airtel have petitioned for relief. Reliance Jio is also facing the same fees, interest and penalties, but as it has only been operational since December 2016, the financial burden is significantly less.

For Vodafone Idea, despite the on-going potential for profits in India, it appears the financial stress is simply getting too much. The shifting dynamics of competition in India have already forced a merger between Vodafone India and Idea Cellular, and it will get to a point where the out-going cash makes it in tolerable to continue operating in the country. It seems the point of no-return is looming large on the horizon.

From a revenue perspective, you can see this is a market which is in trouble. There is significant potential for upshot as digital takes hold, though the telcos will have to weather the storm.

  Industry Revenue (Rupee, Billions)
Q1 2019 390
Q4 2018 432
Q3 2018 426
Q2 2018 469
Q1 2018 440
Q4 2017 435
Q3 2017 466
Q2 2017 493
Q1 2017 505

With tariffs set to increase between 15-40% over the coming months, the overall revenues in the Indian telecoms market will increase, though it might be a matter of too little, too late for Vodafone Idea. As you can see from the quarterly revenues, a significant chunk of cash has been taken out of the market through Reliance Jio’s aggressive pricing strategy, forcing consolidation and crippling competition.

Taking a view of the bigger picture, this is another example of the Indian authorities ineffectively managing the telecoms market. The Government and regulator have been attempting to drive India forward into the digital economy, but the aggressive pursuit and favour granted to market disruptor Reliance Jio is crippling the traditional telcos.

With Vodafone India and Idea Cellular merging, Telenor and Reliance Communications exiting, Tata being acquired by Bharti Airtel, the state-owned telcos only surviving because of Government hand-outs and Bharti facing similar financial burdens, it seems only Reliance Jio is in a healthy position. In pursuit of digital glories, authorities have placed India on a fast-track to a monopolised telecoms market, which is not healthy for anyone.

Ericsson sets aside $1.2 billion in preparation for corruption fine

Since 2013, Ericsson has been the focus of two investigations concerning the Swedish vendors compliance with the US Foreign Corrupt Practices Act (FCPA), and now it is preparing for the fine.

The investigation officially ended in the fourth quarter of 2017, though Ericsson has been in a continued dialogue with the Securities and Exchange Commission (SEC) and the Department of Justice (DoJ) since. With the team found to have broken the law in six markets, Ericsson is expected the combined fines to be north of $1 billion. Today’s announcement is to prepare investors for the hit.

“With today’s announcement we confront another legacy issue and take the next step in resolving it,” said Ericsson CEO Börje Ekholm.

“We have to recognize that the Company has failed in the past and I can assure you that we work hard every day to build a stronger Ericsson, where ethics and compliance are cornerstones in how we conduct business. Over the past two years, we have made significant investments in our ethics and compliance program including our investigative capabilities and have taken actions against employees who have transgressed our values and standards.”

Corrections have been made to internal procedures in the six years since the probes begun, though it casts a dark shadow on the vendor. Corruption allegations are never favourable, irrelevant as to how far in the past they were.

Starting in 2013, the SEC launched a probe with the DoJ joining the party in 2015. The investigations covered a four-year period, ending in 2017, relating to bribes which were offered to Government officials. Ericsson was found to be non-compliant with the FCPA in six markets; China, Djibouti, Indonesia, Kuwait, Saudi Arabia, and Vietnam.

Like every other law, there are hundreds of provisions and clauses to the FCPA, though there are two which it is most readily known for. Firstly, rules dictating accounting transparency requirements under the Securities Exchange Act of 1934, and secondly, concerning bribery of foreign officials.

In short, the rules state it is unlawful to provide anything of material value to government officials to obtain or retain business. On the accountancy transparency side, these rules are to ensure there is an effective compliance and accountability system to internally prevent illegal activity.

Although Ericsson has been co-operative with the agencies during the investigation, the $1 billion fine might only be part of the problem. The Ericsson management team has pointed to additional risks associated with this saga, including reputational damage. The team will have been working hard to smooth over the cracks, however the official fine might well encourage other parties to have a closer look at the relationships in place.

Is $170 million a big enough fine to stop Google privacy violations?

Another week has passed, and we have another story focusing on privacy violations at Google. This time it has cost the search giant $170 million, but is that anywhere near enough?

The Federal Trade Commission (FTC) has announced yet another fine for Google, this time the YouTube video platform has been caught breaking privacy rules. An investigation found YouTube had been collecting and processing personal data of children, without seeking permission from the individuals or parents.

“YouTube touted its popularity with children to prospective corporate clients,” said FTC Chairman Joe Simons. “Yet when it came to complying with COPPA [the Children’s Online Privacy Protection Act], the company refused to acknowledge that portions of its platform were clearly directed to kids. There’s no excuse for YouTube’s violations of the law.”

Once again, a prominent member of the Silicon Valley society has been caught flaunting privacy laws. The ‘act now, seek permission later’ attitude of the internet giants is on show and there doesn’t seem to be any evidence of these incredibly powerful and monstrously influential companies respecting laws or the privacy rights of users.

At some point, authorities are going to have to ask whether these companies will ever respect these rules on their own, or whether they have to be forced. If there is a carrot and stick approach, the stick has to be sharp, and we wonder whether it is anywhere near sharp enough. The question which we would like to pose here is whether $170 million is a large enough deterrent to ensure Google does something to respect the rules.

Privacy violations are nothing new when it comes to the internet. This is partly down to the fragrant attitude of those left in positions of responsibility, but also the inability for rule makers to keep pace with the eye-watering fast progress Silicon Valley is making.

In this example, rules have been introduced to hold Google accountable, however we do not believe the fine is anywhere near large enough to ensure action.

Taking 2018 revenues at Google, the $170 million fine represents 0.124% of the total revenues made across the year. Google made on average, $370 million per day, roughly $15 million per hour. It would take Google just over 11 hours and 20 minutes to pay off this fine.

Of course, what is worth taking into account is that these numbers are 12 months old. Looking at the most recent financial results, revenues increased 19% year-on-year for Q2 2019. Over the 91-day period ending June 30, Google made $38.9 billion, or $427 million a day, $17.8 million an hour. It would now take less than 10 hours to pay off the fine.

Fines are supposed to act as a deterrent, a call to action to avoid receiving another one. We question whether these numbers are relevant to Google and if the US should consider its own version of Europe’s General Data Protection Regulation (GDPR).

This is a course which would strike fear into the hearts of Silicon Valley’s leadership, as well as pretty much every other company which has any form of digital presence. It was hard work to become GDPR compliant, though it was necessary. Those who break the rules are now potentially exposed to a fine of €20 million or 3% of annual revenue. British Airways was recently fined £183 million for GDPR violations, a figure which represented 1.5% of total revenues due to co-operation from BA during the investigation and the fact it owned-up.

More importantly, European companies are now taking privacy, security and data protection very seriously, though the persistent presence of privacy violations in the US suggests a severe overhaul of the rules and punishments are required.

Of course, Google and YouTube have reacted to the news in the way you would imagine. The team has come, cap in hand, to explain the situation.

“We will also stop serving personalized ads on this content entirely, and some features will no longer be available on this type of content, like comments and notifications,” YouTube CEO Susan Wojcicki said in a statement following the fine.

“In order to identify content made for kids, creators will be required to tell us when their content falls in this category, and we’ll also use machine learning to find videos that clearly target young audiences, for example those that have an emphasis on kids characters, themes, toys, or games.”

The appropriate changes have been made to privacy policies and the way in which ads are served to children, though amazingly, the blog post does not feature the words ‘sorry’, ‘apology’, ‘wrong’ or ‘inappropriate’. There is no admission of fault, simply a statement that suggests they will be compliant with the rules.

We wonder how long it will be before Google will be caught breaking privacy rules again. Of course, Google is not alone here, if you cast the net wider to include everyone from Silicon Valley, we suspect there will be another incident, investigation or fine to report on next week.

Privacy rules are not acting as a deterrent nowadays. These companies have simply grown too large for the fines imposed by agencies to have a material impact. We suspect Google made much more than $170 million through the adverts served to children over this period. If the fine does not exceed the benefit, will the guilty party stop? Of course not, Google is designed to make money not serve the world.

Giffgaff managed to find a way to overcharge prepaid subscribers

UK telecoms regulator Ofcom has fined MVNO Giffgaff £1.4 million for double-charging some of its pay-as-you-go customers.

Giffgaff specialises in prepaid SIM-only mobile phone deals, in which subscribers buy chunks of data, etc, marketed as ‘goodybags’, in advance and then buy more when those are used up. Any data used when a goodybag isn’t active is charged at 5p per MB. It looks like there was some delay in properly recognising when a fresh goodybag had been purchased from a billing perspective, resulting in people continuing to pay the metered rate at the same time.

This resulted in 2.6 million customers being overcharged by a total of £2.9 million, which might seem like a lot but is only a quid per punter. Once Giffgaff realised what it had done it grassed itself up to Ofcom, which proceeded to spend the next ten months ‘investigating’ what it had already been told. This resulted in Giffgaff being fined £1.4 million, which would have been more if Giffgaff hadn’t fessed up and already attempted to refund the overcharging.

“Getting bills right is a basic duty for every phone company,” pronounced Gaucho Rasmussen, Ofcom’s Director of Investigations and Enforcement. “But Giffgaff made unacceptable mistakes, leaving millions of customers out of pocket. This fine should serve as a warning to all communications providers: if they get bills wrong, we’ll step in to protect customers.”

Thanks Gaucho, but didn’t Giffgaff tell you what it had done and hasn’t it already taken remedial measures? What, exactly, have you done to further protect customers other than spend ten months mulling over how much to fine them? Even regulators can never resist an opportunity to self-promote.

Giffgaff seems to have missed a PR trick here too. There is nothing on its website or social media addressing this, so people are largely left to interpret the background to the fine themselves. For a prepaid brand that makes a virtue of transparency and value for money, this apparent shiftiness and surrendering of the narrative could end up being far more harmful than the fine itself.

FTC hits Facebook with $5bn privacy fine

The Federal Trade Commission (FTC) has hit Facebook with a fine of $5 billion relating to numerous privacy violations over the last few years.

The fine itself, which is the largest ever imposed on any company for violating consumers’ privacy, will be accompanied by broad changes to its consumer privacy practices. The decision will also force Facebook to add in more decision-making capability on its privacy policies.

“Despite repeated promises to its billions of users worldwide that they could control how their personal information is shared, Facebook undermined consumers’ choices,” said FTC Chairman Joe Simons.

“The magnitude of the $5 billion penalty and sweeping conduct relief are unprecedented in the history of the FTC. The relief is designed not only to punish future violations but, more importantly, to change Facebook’s entire privacy culture to decrease the likelihood of continued violations.”

The accusations directed towards Facebook will sound very familiar. Whether it is using deceptive disclosures or secretive settings to disguise features and undermine privacy principles, or violation of previous commitments made to privacy in a 2012 FTC Order and dubious data-sharing relationships with third-parties, Facebook is facing a massive disruption to the way it manages data and approaches user privacy.

Looking at the changes Facebook will have to make, CEO Mark Zuckerberg is no-longer allowed to be the single decision maker for privacy policies, a position which was ridiculous in the first place. Facebook will also be forced to appoint an ‘independent privacy committee’ to ensure a position which is consistent with society’s expectations.

Privacy policies will filter down through the organization, theoretically, through the appointment of Compliance Officers. Another condition set upon Facebook is granting more powers to independent third-party assessors, who will conduct privacy orders every other year.

There are numerous other orders placed on Facebook as part of the negotiation between the FTC and the social media giant, including:

  • Facebook must exercise greater oversight over third-party apps
  • Phone numbers obtained to enable a security feature cannot be used in advertising mechanisms
  • Facebook must provide clear and conspicuous notice of its use of facial recognition technology
  • Facebook must encrypt user passwords and regularly audit security systems

While many of these demands from the FTC might be considered as business practise in today’s privacy conscious world, they are likely to cause a disruption for Facebook internally.

“After months of negotiations, we’ve reached an agreement with the Federal Trade Commission that provides a comprehensive new framework for protecting people’s privacy and the information they give us,” said Facebook General Counsel Colin Stretch.

“The agreement will require a fundamental shift in the way we approach our work and it will place additional responsibility on people building our products at every level of the company. It will mark a sharper turn toward privacy, on a different scale than anything we’ve done in the past.”

Although it is an incredibly steep fine for Facebook to stomach, we suspect it won’t bother the bean counters than much. Facebook is a money-making machine, and this will soon enough be nothing more than a minor blip. The disruption to its finely-tuned advertising machine will be more of an issue, but it could work in Facebook’s favour.

Facebook is being forced to be more transparent and treat privacy principles with respect. Left to its own fate, the social media giant probably wouldn’t have taken such drastic measures to disrupt itself. However, being forced into these changes could earn Facebook trust and credibility points in the eyes of the consumer.

If Facebook owns this punishment, while shouting and screaming about the changes it is making to become compliant with the order, it could swing public favour back onto its side. Facebook needs to present itself as a privacy conscious organization and this is a perfect opportunity to do so.

ICO gets serious on British Airways over GDPR

The UK’s Information Commissioner Officer has swung the sharp stick of GDPR at British Airways and it looks like the damage might be a £183.39 million fine.

With GDPR inked into the rule book in May last year, the first investigations under the new guidelines will be coming to a conclusion in the near future. There have been several judgments passed in the last couple of months, but this is one of the most significant in the UK to date.

What is worth noting is this is not the final decision; this is an intention to fine £183.39 million. We do not imagine the final figure will differ too much, the ICO will want to show it is serious, but BA will be giving the opportunity to have its voice heard with regard to the amount.

“People’s personal data is just that – personal,” said Information Commissioner Elizabeth Denham.

“When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

The EU’s GDPR, General Data Protection Regulation, offers regulators the opportunity to fine guilty parties €20 million or as much as 3% of total revenues for the year the incident occurred. In this case, BA will be fined 1.5% of its total revenues for 2018, with the fine being reduced for several reasons.

In September 2018, user traffic was directed towards a fake British Airways site, with the nefarious actors harvesting the data of more than 500,000 customers. In this instance, BA informed the authorities of the breach the defined window, co-operated during the investigation and made improvements to its security systems.

While many might have suggested the UK watchdog, or many regulators around the world for that matter, lack teeth when it comes to dealing with privacy violations, this ruling should put that preconception to rest. This is a weighty fine, which should force the BA management team to take security and privacy seriously; if there is one way to make executives listen, its hit them in the pocket.

This should also be seen as a lesson for other businesses in the UK. Not only is the ICO brave enough to hand out fines for non-compliance, it is mature enough to reduce the fine should the effected organization play nice. £183.39 million is half of what was theoretically possible and should be seen as a win for BA.

Although this is a good start, we would like to see the ICO, and other regulatory bodies, set their sight on the worst offenders when it comes to data privacy. Companies like BA should be punished when they end up on the wrong side of right, but the likes of Facebook, Google and Amazon have gotten an easy ride so far. These are the companies who have the greatest influence when it comes to personal information, and the ones which need to be shown the rod.

This is one of the first heavy fines implemented in the era of GDPR and the difference is clear. Last November, Uber was fined £385,000 for a data breach which impacted 2.7 million customers and drivers in the UK. The incident occurred prior to the introduction of GDPR, the reason the punishment looks so measly compared to the BA fine here.

The next couple of months might be a busy time in the office of the ICO as more investigations conclude. We expect some heavy fines as the watchdog bears its teeth and forces companies back onto the straight and narrow when it comes to privacy and data protection.

Security is a concern, especially as it can hit bank accounts now

New research from EY suggests British businesses are more concerned than ever about security. Funny that, considering there’s now a whopping fine to worry about.

Security is one of those areas which is constantly discussed but little is done to address. Irrelevant as to how many CEOs tell you its top of the agenda or how many statements start with the phrase ‘our customers security is our number one concern’, it’s an aspect of the technology world which has been swept aside. But not according to this research from EY.

“It’s not surprising that businesses are most concerned with the threat of cyberattacks,” said Adrian Baschnonga, Global Lead Telecommunications Analyst at EY. “The introduction of 5G will help organisations unlock new growth opportunities, but this transition comes at a time when fears regarding data breaches and network security are especially pronounced.”

While you always have to take statements like this with a pinch of salt, it might be right this time. Why? Because if you want to make executives care about something aside from their annual bonuses, you have to fight fire with fire.

Under the General Data Protection Regulations (GDPR) brought into play last May, any company which is found to have inadequately protected customer or employee data are subject to fines of 3% of annual turnover or €20 million. GDPR fines are proportionate to the risk posed by a breach, allowing flexibility for regulators to tackle the problem, but it certainly seems to have caught some attention.

According to professional services firm RPC, in the 12 months prior to September 30 2018 (the period in which GDPR was introduced) the Information Commissioners Office issued fines totalling just over £5 million, a 24% increase on the previous period of 12 months. Considering the ICO only had a couple of months to swing the GDPR stick at offenders, it would be fair to assume the watchdog is fully embracing the new powers offered to it.

This also seems to have hit home with those investing in new technologies. 40% of respondents to EY’s survey are worried about 5G and cyberattacks, while 37% saw IoT as a risk. These numbers aren’t particularly high, but they are the biggest concerns.

Another factor to consider is the consumer. While many will have been blind to the risk of data breaches in by-gone years, this does not seem to be the case anymore. Recent Lloyd’s research claims 44% of UK consumers believe there is a risk to personal safety in the sharing economy, perhaps indicating they would be hard-pushed to share data. If enterprise organizations are going to benefit from the data boom, they’ll have to convince customers that their personal information will be safe.

Whether this translates to appropriate security investments remains to be seen, as there seems to be a lack of ownership over security overall. Enterprise organizations are looking to suppliers for security to be built into products, while it is perfectly reasonable for suppliers to ask enterprise organizations to do more. Security should be built into products, but if an individual buys a front door, the manufacturer cannot be blamed when it is left open or an inadequate lock is used.

More often than not the carrot is used to incentivise business, but it seems the GDPR stick is an effective tool in bringing security to the front of executive’s minds. Hopefully now there will be less pandering for PR headlines and more affirmative action.

France fines Google for being vague

The French regulator has swung the GDPR stick for the first time and landed it firmly on Google’s rump, costing the firm €50 million for transparency and consent violations.

The National Data Protection Commission (CNIL) has been investigating the search engine giant since May when None Of Your Business (NOYB) and La Quadrature du Net (LQDN) filed complaints suggesting GDPR violations. The claims specifically suggested Google was not providing adequate information to the user on how data would be used or retained for, while also suggesting Google made the process to find more information unnecessarily complex.

“Users are not able to fully understand the extent of the processing operations carried out by Google,” the CNIL said in a statement.

“But the processing operations are particularly massive and intrusive because of the number of services offered (about twenty), the amount and the nature of the data processed and combined. The restricted committee observes in particular that the purposes of processing are described in a too generic and vague manner, and so are the categories of data processed for these various purposes.”

This seems to be the most prominent issue raised by the CNIL. Google was being too vague when obtaining consent in the first instance, but when digging deeper the rabbit hole become too complicated.

Information on data processing purposes, the data storage periods or the categories of personal data used for the ad personalization were spread across several pages or documents. It has been deemed too complicated for any reasonable member of the general public to make sense of and therefore a violation of GDPR.

When first obtaining consent, Google did not offer enough clarity on how data would be used, therefore was without legal grounding to offer personalised ads. Secondly, the firm then wove too vexing a maze of red-tape for those who wanted to understand the implications further.

It’ll now be interesting to see how many other firms are brought to the chopping block. Terms of Service have been over-complicated documents for a long-time now, with the excessive jargon almost becoming best practise in the industry. Perhaps this ruling will ensure internet companies make the legal necessities more accessible, otherwise they might be facing the same swinging GDPR stick as Google has done here.

For those who are finding the NOYB acronym slightly familiar it might be because the non-profit recently filed complaints against eight of the internet giants, including Google subsidiary YouTube. These complaints focus on ‘right to access’ clauses in GDPR, with none of the parties responding to requests with enough information on how data is sourced, how long it would be retained for or how it has been used.

As GDPR is still a relatively new set of regulations for the courts to ponder, the complaints from NOYB and LQDN were filed almost simultaneously as the new rules came into force, this case gives some insight into how sharp the CNIL’s teeth are. €50 million might not be a monstrous amount for Google, but this is only a single ruling. There are more complaints in the pipeline meaning the next couple of months could prove to be very expensive for the Silicon Valley slicker.