Google has become the first tech giant to receive a record GDPR fine for breaching the EU’s data protection rules.
This is the biggest fine yet to be issued for breaking the General Data Protection Regulation (GDPR) and the first time one of the tech giants has been penalised under the new regulations, which came into force in May last year.
The £44m penalty was issued by French data regulator Commission Nationale de l’informatique et des Libertés (CNIL) due to a “lack of transparency, inadequate information and lack of valid consent regarding ads personalisation.” The regulator determined that people were “not sufficiently informed” about how Google collected data to personalise advertising.
As Google is one of the biggest handlers and processors of people’s data in the world, it’s not unprecedented that it would be the first to face financial consequences for breaching GPDR rules.
In a statement released to the press, Google said it was “studying the decision” to determine its next steps.
Details of the case
The fine was triggered by complaints from two privacy rights groups in France – NOYB (None of Your Business) and La Quadrature du Net - with the first complaint actually filed on the day GDPR took effect: 25 May 2018. The groups claimed that Google didn’t have a valid legal basis to process user data for ad personalisation, as mandated by the GDPR.
The complaints centred on the fact that the process of creating a Google account, which is considered almost a necessity when using an Android phone, hurries users through an opaque consent process, instead of letting them independently choose understandable privacy settings. The watchdog ruled that consent given in this way isn’t sufficiently informed, specific or unambiguous, as the user doesn’t fully understand which data they’ve agreed to give up and what purpose it will be used for.
Why was the case handled by CNIL?
Google’s European headquarters are in Ireland, which means that the complaints fell within the jurisdiction of the Irish Data Protection Commissioner (DPC). However, it was decided that the case would be handled by the French data regulator because the DPC doesn’t have the “decision-making power” when it comes to processing data for new Android users. CNIL said it implemented the new European framework as it is interpreted by all the relevant authorities in the European Data Protection Board’s guidelines.
The GDPR penalty was welcomed by Max Schrems of NOYB, who said that “We are very pleased that for the first time a European data protection authority is using the possibilities of GDPR to punish clear violations of the law,” he said.
“Following the introduction of GDPR, we have found that large corporations such as Google simply ‘interpret the law differently’ and have often only superficially adapted their products. It is important that the authorities make it clear that simply claiming to be compliant is not enough.”
GDPR violations occurring on a large scale
Data experts warn that other major tech firms will be next in line for fines due to their careless approach to people’s data. While Google may be the first major tech company to be fined under GDPR, many others have been publicly accused of breaching the rules. Amazon, Apple and Netflix have all been accused of violating Article 15 of GDPR, which requires them to respond to private citizens’ data request.
And given that the original complaint filed against Google by NOYB also included Facebook, it will be interesting to see what happens to the social networking site next. Facebook has already been fined €10m by Italy’s competition regulator for misleading users over data practice.
And the scale of violations appears to go well beyond just tech firms. Research from cloud data firm Talend revealed that an estimated 74 percent of UK organisations failed to address requests from people seeking to get hold of their personal data within the specified one-month period. The research was derived from personal data requests made to 23 companies based in, or operating out of, the UK across multiple industries. It found that only 17 percent of organisations complied correctly with the requests, with another 9 percent giving incomplete or delayed responses.
Overall, including results taken from beyond the UK, the research showed that retailers were the sector with the worst performance, with less than 25 percent responding within the 30-day timeframe. The best performing sector was financial services, although they didn’t do much better, with only a 50 percent success rate.
What this means
A fine of £44m might not seem like a lot to a company Google’s size, given that in the last quarter alone Google’s parent company Alphabet earned £25.82bn in revenue - almost 600 times the amount of the fine. However, far more severe GDPR penalties could be levied in the future. The maximum amount that firms can be fined under GDPR is €20m or 4 percent of global turnover, whichever is larger. For the likes of Google, Amazon and Apple, this means fines could stretch into the billions.
Many are seeing this penalty as a shot across the bows for the digital tech sector; that after years of under-enforcement, regulators in the EU are now demonstrating that they mean business and are prepared to use GDPR accordingly.
Matthew Hattersley, partner at Clarion, agrees. “This is a first glimpse at how the data protection authorities are going to implement the new wider powers to fine businesses and it doesn’t seem that CNIL has pulled any punches. It should serve as a warning for businesses collecting personal data that they must get this right or the consequences may be severe.”
If you have questions about this blog and would like to speak to someone about them, please contact our Clarion Commercial Team.
Disclaimer: Anything posted on this blog is for general information only and is not intended to provide legal advice on any general or specific matter. Please refer to our terms and conditions for further information. Please contact the author of the blog if you would like to discuss the issues raised.