First Large GDPR Fine issued and its to Google for €50 million

Every member state, organisation and almost every individual have been watching supervisory authorities closely to see if and who will issue organisations with a large fine for non-compliance with the GDPR. The regulation urges Member states to not hold back when handing down large fines, but also requires penalties, to be “effective, proportionate and dissuasive.”

France, this week, took the first step issuing the multi-national corporation, Google LLC a large fine for not complying with the principles of the GDPR. This was because it failed to be transparent when processing data of individuals and failed to obtain consent from individuals correctly. The supervisory authority of France, Commission nationale de l’informatique et des libertés (CNIL) was alerted to this fact, following complaints from two associations. One was None of Your Business (NOYB), an organisation that advocates for digital privacy rights. Mark Schrems who founded NOYB, is a leading activist for human privacy rights in data protection. He contributed to significant changes made in data privacy such as the collapse of the Safe Harbor provisions.

NOYB coupled with La Quadrature du Net (LQDN), who consisted of over 10,000 people, complained that Google did not have a defined lawful basis for using individuals’ data for its personalised services.

The Investigation

CNIL’s investigation into the two complaints received included analysing users journey online with Google. This also involved analysing what could be accessed on Android mobile devices during configuration.

The Findings

Lack of transparency

Google failed to provide individuals with the right to access information under article 12, 13 and 14 of the GDPR. The information was not in an easily accessible form (Article 12.1). The required information instead spread across a number of documents. Additionally, users were required to take a number of steps to access the information, making it a complex process. The text was unclear and vague. Google also failed to mention retention periods as required by the GDPR.

Invalid consent

Google identified a lawful basis to rely on to process data for personalised advertising, but did not make this clear to individuals. It had decided to rely on consent, which required Google to satisfy further conditions under Article 7.

Google failed to satisfy the following conditions:

  • Providing individuals with enough information to give their consent. It failed to cover the scope of services used. Companies such as Google Search, YouTube, Google Photos used individuals’ data.
  • Allowing individuals to take the action to demonstrate they gave their consent. Google used pre-ticked boxes which did not allow for this. Users were also required to navigate further into the page to know the extent of what they are consenting to.
  • Obtaining consent for each purpose individuals data is used for. Google failed to demonstrate this. Instead, at the end, users were required to tick and accept the terms of use of Google in a way that made users consent in block.

This made consent obtained invalid.

CNIL consequently fined Google $57 million. That is roughly £44 million and €50 million. Failure to comply with the principles of the GDPR subjects an organisation to the top tier fine of up to €20 million or 4% of the worldwide turnover, whichever is greater. That is a large GDPR fine. Although some may argue if it is only 4% of Google’s worldwide turnover it is not significant enough.

Google’s comments

Google responded by stating it is:

“Deeply committed” to transparency and is deciding “our next steps.”

NOYB’s comments

NOYB’s director, Max Schrems, made the following statement:

“Large corporations such as Google simply ‘interpret the law differently’ and have often only superficially adapted their products,” he said.

“It is important that the authorities make it clear that simply claiming to be compliant is not enough.”

This case may not come to a surprise for many where Google has recently been in the news for several areas of non- compliance under both the old and new data protection legislation across the EU. However, large amount issued might. The actions of CNIL have set a milestone that has been anticipated by organisations but hoped for by individuals. Although the wait for a large GDPR fine to be imposed is over, the wait continues to see whether other supervisory authorities will follow suit.

Related posts

Hard-Coded Credentials Vulnerability Found In Kubernetes Image Builder

Critical Vulnerability Patched In Jetpack WordPress Plugin

Astaroth Banking Malware Runs Actively Targets Users In Brazil