On January 21, 2019, the French National Data Protection Commission (CNIL) fined Google Euros 50 million for not complying with the General Data Protection Regulation (GDPR).   There will be a legal challenge, but this blog focuses on the policy considerations surrounding the decision.  There are at least three initial takeaways from the CNIL decision.  First, this enforcement action demonstrates that the GDPR should not be replicated word for word in a possible U.S. federal privacy law.  Some notion of consumer harm should enter the calculation when a fine is considered.  Second, DPAs should be more forthcoming with guidance on how to comply with the GDPR, especially when companies are making a good faith effort to comply with the law.  Third, there is a risk that the one-stop-shop is going to become effectively meaningless.  As U.S. policymakers consider a federal privacy law, this should be a key co ...

Does the EU’s right to be forgotten extend to the whole world?  The French data protection authority, CNIL, says yes and wants search engines to delist search results which contain information that violates the European Union’s right to be forgotten – not just for French users, not just for European users, but for all users everywhere. Google is prepared to remove offending search results for European users, but balks at removing material globally just because European courts find that it violates European privacy rules.