Google hit with $57m fine for GDPR breach

A drop in the ocean for Google, but a wakeup call for all companies operating in Europe
22 January 2019

The entrance to the offices of Google in London. Source: AFP

Google has run afoul of Europe’s new data privacy rules. The ad tech giant has been fined nearly US$57 million by French regulators, according to the Washington Post.

This is the first major penalty that has been suffered by a US technology firm since the regulations took effect last year.

According to France’s top data-privacy agency, CNIL (National Commission for Informatics and Liberties), the organization failed to fully disclose to users how their personal information is collected and how it was used.

The agency also said the company did not obtain users’ consent for the purpose of showing them personalized ads.

As the watchdog’s statement reads: “CNIL’s restricted committee imposed a financial penalty of 50 million euros against the company Google LLC, in accordance with the General Data Protection Regulation (GDPR), for lack of transparency, inadequate information and lack of valid consent regarding the ads personalization.”

This is the first time CNIL has applied the new sanction limits provided by the GDPR, who say the amount and publicity of the fine is justified by the severity of the infringements.

“The infringements observed deprive the users of essential guarantees regarding processing operations that can reveal important parts of their private life since they are based on a huge amount of data, a wide variety of services and almost unlimited possible combinations,” it said.

Essentially, CNIL believes that the company has purposely been very vague and obscure in its explanation to users regarding their data and how it’s used for ad personalization.

More importantly, CNIL says that its consent flow does not adhere to the GDPR. It recommends the company separate the action of creating an account from the action of setting up a device, as consent bundling is illegal under the GDPR.

“Finally, taking into account the important place that the operating system Android has on the French market, thousands of French people create, every day, a Google account when using their smartphone,” it added.

“Furthermore, the restricted committee points out that the economic model of the company is partly based on the ads personalization. Therefore, it is of its utmost responsibility to comply with the obligations on the matter,” it concluded.

It was back in May 2018, that two non-profit organizations called ‘None Of Your Business’ (nyob) and La Quadrature duNet filed a complaint against Google and Facebook. Their complaints were then forwarded to local watchdogs.

Speaking to Techcrunch, Max Schrems, chairman of nyob, sent the following statement, “we are very pleased that for the first time a European data protection authority is using the possibilities of GDPR to punish clear violations of the law.”

He went on to say that following the introduction of GDPR, they have found that large corporations such as Google simply ‘interpret the law differently’ and often only superficially adapt their products to the regulations.

An official statement from Google read, “people expect high standards of transparency and control from us […] we’re deeply committed to meeting those expectations and the consent requirements of the GDPR […] we’re studying the decision to determine our next steps.”

While Google operates at a scale unlike any other company, the fine should come as a wakeup call for businesses of all sizes to ensure they’re fully compliant with the data laws of local markets they’re active in— if not, there could be severe consequences.