Google hit with €50 million GDPR fine

Last month, we discussed some of the GDPR fines that had emerged in the six months following the regulation’s implementation in May 2018. In that article, we posed a hypothetical scenario that calculated the maximum fine a company like Google could face if it seriously breached the rules (approximately £3.5 billion, if you are wondering).

Well, the search engine giant may not have been hit with the full force of GDPR, but it will have to pay €50 million (£44 million) after France’s data regulator, CNIL, found the firm had breached data protection rules. This is the biggest GDPR fine handed out so far, with CNIL criticising Google for a lack of transparency and inadequate consent measures regarding ad personalisation.

Put simply, Google failed to inform users how their data would be collected and used to deliver advertising that is tailored specifically to their preferences. Two privacy rights groups (NOYB and La Quadrature du Net) made the accusations against Google, with one complaint filed on May 25th, 2018 – the day GDPR came into force.

Where did Google go wrong?

The lack of transparency complaint focused on Google failing to centralise essential information about data collection and use on a single page for easy reference. In fact, up to five or six different actions were required if people wanted to know how their data was processed, stored and leveraged for ads.

The available information was also not always clear and comprehensive, according to CNIL. This made it difficult for users to understand the legal basis and ramifications of their decisions surrounding data. Furthermore, Google did not provide an explicit enough opt-in option for their data to be used for ad personalisation during the account sign-up process on Android.

Interestingly, the decision was made to launch the GDPR investigation in France, despite Google’s EU headquarters being located in Ireland. The choice was made because Ireland’s data protection authorities do not have decision-making powers over Google’s Android operating system and other services. The move shows European regulators are willing to collaborate to ensure organisations are compliant with GDPR, regardless of their location.

Google released a statement following the fine, saying it was “studying the decision”.

“People expect high standards of transparency and control from us. We’re deeply committed to meeting those expectations and the consent requirements of the GDPR,” the company added.

What happens next?

The news is unlikely to be too troubling for Google, which is hardly a stranger to controversy after being slapped with a record €4.3 billion fine last year.

The European Commission found the company had illegally used Android to cement its dominant search position. Even that eye-watering amount was considered affordable, with Google’s parent company Alphabet having cash reserves of over $100 billion (£58.8 billion) in April 2018. More important than the fine itself could be that by ruling what Google has done as breaking GDPR, it will either force them and others to change their fundamental business practices or face further and increased fines moving forwards.

NYOB has launched similar GDPR actions against numerous streaming sites regarding possible data protection infractions. Amazon, Apple, Netflix and Spotify could all be facing fines in the coming months. Many of these organisations also have deep pockets, but the fines are typically accompanied by follow-up penalties if firms fail to fix the problems that led to the breach within a reasonable timeframe.

We are still waiting to see what type of breach will result in a maximum fine of €20 million or 4% of global turnover, whichever is higher. Nevertheless, regulators don’t appear to be letting businesses off with a slap on the wrist. With only 74% of companies compliant with GDPR at the end of last year (and 7% still expecting to be non-compliant by the close of 2019), we can expect more fines in the coming months.

Tackling GDPR in 2019

Our latest Security and Resilience Market Report, which will be published next month, found organisations were confident about their staffing levels while preparing for GDPR last year.

Just 9% said they were inadequately resourced to handle the regulation’s implementation, with 70% claiming they did not need additional headcounts to handle the process. This assuredness could change as new GDPR fines begin trickling through and the true nature of how the legislation will be applied becomes evident.

It is also likely that businesses will require ongoing remediation work to ensure their systems and processes remain compliant. Research N Reports already predicts the GDPR compliance software market will grow 22% this year, when compared to 2018, indicating the job is far from over for governance teams.

If you would like to discuss your GDPR compliance recruitment needs, we’d love to hear from you. Please contact me on 0207 936 8952 or via email at tew@barclaysimpson.com.

Image credit: Paweł Czerwiński via Unsplash