MasterCard: EUR 570 million

MasterCard has just been sanctioned with a EUR 570.6 million penalty by the European Commission for “limiting the possibility for merchants to benefit from better conditions offered by banks established elsewhere in the Single Market, in breach of EU antitrust rules.” This is the final outcome of an investigation opened in 2013 on interchange fees: the European Commission, defending the principle of a Single Market, investigated the practices of both Visa and MasterCard which imposed different interchange fees to merchants according to their location in the EU. Mastercard fully cooperated with investigators which led to a reduction in the fine of about 10%.

Mastercard's rules obliged acquiring banks to apply the interchange fees of the country where the retailer was located. Prior to 9 December 2015, when the Interchange Fee Regulation introduced caps, interchange fees varied considerably from one country to another. As a result, retailers in high-interchange fee countries could not benefit from lower interchange fees offered by an acquiring bank located in another Member State.

Now, interchange fees are capped in the EU, to a maximum of 0.2% of the transaction's value for debit cards and 0.3% of the transaction's value for credit cards. A spokesperson for the company said: “MasterCard said the EU decision "puts an end to a legacy investigation" into "historic practices only" that were in place for less than two years. Mastercard sees the closure of this anti-trust chapter as an important milestone for the company.”

Google: EUR 50 million

In recent news, GDPR (General Data Protection Regulation) enforcement is also leading to its first significant fines: the French National Data Protection Commission (CNIL) just announced a EUR 50 million fine for Google for “lack of transparency, inadequate information and lack of valid consent regarding the ads personalization.” The ruling follows complaints lodged last May, shortly after the landmark GDPR directive came into effect, by two advocacy groups, France's La Quadrature du Net (LQDN), while the other was by None Of Your Business (NYOB), created by the Austrian privacy activist Max Schrems.

According to the CNIL, Google made information about data processing and storage times, and the way such information is used for personalized ads, difficult for consumers to access. “The relevant information is accessible after several steps only, implying sometimes up to five or six actions,” says CNIL’s statement. The CNIL also found that, although users can choose to configure their personalized ads, Google makes these options challenging to find, and pre-ticks boxes to opt in, rather than asking users to expressly give their consent.

This is the biggest GDPR fine yet to be issued by a European regulator, even though this is still far from the maximum allowed under GDPR regulation, which allows a company to be fined a maximum of 4% of its annual global turnover for the most serious offenses. One must keep in mind Google turnover reached US$ 110.8 billion (EUR xxx billion) for the year 2017.

According to lawyer Alexandre Lazarègue, a specialist in personal data law, Google is more affected by the publicity of this sanction than by the amount of the penalty itself. Being punished by the CNIL demonstrates to the public at large that Google is not consistent between its acts and its communication where the company writes many statements like: “It is our responsibility to be clear about the data we collect, and how we use it” or “Keeping users' information safe, secure and private is among our highest priorities at Google” or even “We provide transparency about how data is used in our ads products.”

These fines, although they cover different situations, come in due time in the permanent fight for power between governments, or a meta-government like the EU, and large corporations. What is at stake is shaping the society of tomorrow and finding the right balance of power between citizens rights and the aspirations of world level businesses.