Google's fine in Spain has prompted a re-examination of the GDPR's impact on the tech industry.

When Google was fined 10 million euros (then $10.6 million) by Spain's data protection authority (DPA) last month, it reignited debate over why the company behind the world's most popular internet search engine—and other Big Tech companies in general—have not been penalized more frequently under the General Data Protection Regulation (GDPR).

The fine is Google's fourth under the European Union's strict privacy law, and the second highest in terms of dollar value, following a €50 million (then-US$57 million) penalty the company received in France in 2019. Sweden and Belgium are two other countries that have sanctioned the tech giant.


The Irish Data Protection Commission (DPC), Google's lead supervisory authority, has been criticized for its slowness in resolving two ongoing cross-border complaints against the company, including real-time bidding and how it uses personal data to drive advertising, as well as its use of location data.


Experts have differing opinions on why Google and other tech companies have gotten off so lightly.

"Perhaps an easy answer would be they haven’t been found to have broken the law," Nigel Jones, co-founder of Privacy Compliance Hub, said.


Jones added that the true answer could be "more nuanced." Because "they need to make sure they are on a firm legal footing if they are going to issue fines," European data regulators have tended to educate rather than penalize. "This requires resources, and the fact is the resources of Google far outweigh the resources of any regulator."


Another reason, according to Jones, is that Google, unlike some other tech companies, has taken a more conciliatory approach with the Irish regulator and other DPAs about what practices might be in violation of the GDPR, which means "there will have been a dialogue going backwards and forwards between the company and the regulator for all this time."


Google's move has already paid off: a cross-border complaint with the Irish DPC over YouTube content involving a child, for example, was settled amicably.


The nature of potential GDPR breaches, according to Ryan Gracey, head of technology and partner at law firm Gordons, is the reason why Big Tech firms have received relatively few fines to date.


"“Big Tech investigations have tended to cover their own misuse of personal data data to gain financial and competitive advantages, like Google’s lack of transparency to individuals on how their personal data is used," Gracey said, "while other industries where we have seen a higher frequency of fines, like telecoms, involve data breaches related to the mass disclosure of personal information."


According to Gracey, the former "are difficult, complex, and time-consuming for regulators to investigate, understand, and take action on," whereas the latter "are much more straightforward" because the regulator can quickly identify the breach, weigh aggravating and mitigating factors, and then issue a proportionate fine.


Part of the difficulty in regulating Big Tech, according to experts, is a lack of transparency about firms' activities, which makes it more difficult to know what is being done. Another issue is these companies' attempts to expand their legal departments.


Further issues, according to Flavia Kenyon, a barrister at law firm The 36 Group, are the GDPR's enforcement powers failing and regulators' timidity.


The GDPR's one-stop shop mechanism, she believes, is "not fit for purpose" and "failing to deal with data protection issues concerning millions of web users across Europe."


Because of the Irish DPC's inaction, the European Commission is drafting antitrust legislation against Big Tech to address misuse of personal data, privacy, and data monopolies, as well as to "re-assert the Commission’s digital sovereignty via another legislative route," she said. National regulators would be able to levy fines of up to ten percent of global turnover under the proposed Digital Markets Act.


Fines are only one tool available to supervisory authorities under the GDPR, according to Will Richmond-Coggan, a director and specialist in data protection disputes at law firm Freeths. "Being realistic, for a company the size of Google, fines are not necessarily going to be the best way to secure positive improvements," he said.


The Information Commissioner's Office in the United Kingdom, for example, did not levy a fine against Google's DeepMind project for its unauthorized use of medical personal data for a diagnostic research initiative, but used the opportunity to issue guidance on how such projects should be set up and operated in the future to ensure compliance.


The idea that Big Tech firms have "got off light" in the European Union has been questioned by Richmond-Coggan. They have been the target of a lot of regulatory activity, and they have gotten some of the harshest penalties under the GDPR, he said.


Furthermore, privacy campaigner Max Schrems' series of legal challenges against Meta/Facebook has completely reshaped the international data transfer landscape, putting data protection and compliance at the forefront of tech firms' activities, according to Richmond-Coggan.

By fLEXI tEAM