GDPR violations: What you can learn from the first 50 million € fine issued to Google

January 25, 2019

While the general impression among organisations is that the GDPR has had a slow start since it coming into effect on May 25, 2018, it seems like several European Data Protection Authorities have been having some fines in the making: Tech giant Google was hit this week with a recordsetting fine of 50 million Euros for GDPR violations related to user consent.

Insufficient consent policies

The French Data Protection Authority CNIL issued the fine on January 21 for a "lack of transparency, inadequate information and lack of valid consent regarding the ads personalization", as they said in their statement. CNIL alleges that Google did not provide enough specific information to its users to obtain valid consent. Under the GDPR, users need to give explicit, informed, and specific consent before organisation are permitted to collect their information. This means that consent can only be given by an active opt-in, and never via an opt-out process by the user. According to CNIL, the resulting GDPR violation was not rectified by Google up until now.

The fine is considered the largest ever financial penalty for a privacy breach in Europe. However, CNIL did not fine Google the maximum penalty of 4% of the annual global turnover.

Google announced it will appeal CNIL's decision before the Council of State, France's highest administrative court. These proceedings will provide further insight into the tech company's interpretation of consent under GDPR.

“We’ve worked hard to create a GDPR consent process for personalized ads that is as transparent and straightforward as possible, based on regulatory guidance and user experience testing. We’re also concerned about the impact of this ruling on publishers, original content creators and tech companies in Europe and beyond. For all these reasons, we've now decided to appeal",

a Google spokesperson said in a statement to politico.eu. However, this is not the only investigation by a Data Protection Authority against Google - seven consumer organisations from across Europe have filed complaints against the company for GDPR breaches related to Google's practices of tracking user locations.

Early conclusions

Despite the pending court proceedings, which may take a while to be concluded, there are already a few lessons learned from this case:

1. Time frame

The complaint was filed on May 25 - the day when GDPR came into effect. Because of Google's status as one the world's most important tech companies, we can assume that the complaint was handled by CNIL in a prioritized manner. Still, CNIL only imposed the fine earlier this week - indicating a processing time of approximately 8 months for high-profile GDPR complaints. This may indicate that the fine against Google is only the start for the Data Protection Authorities fining organisations for GDPR violations already reported many months ago.

2. Type of violation

As mentioned above, the fine was issued due to a lack of specific, informed, and explicit consent as required under the GDPR. Consent is one of the data subject's rights, highlighting the user's interests to be protected under privacy legislation. The imposed fine makes clear that the Data Protection Authorities' assessment depends on the users' expectations and their understanding of an organisation's policies. Organisations should therefore prioritize data subject rights as one of the main concerns when thinking about privacy compliance.

3. Size of the fine

Despite only a few GDPR fines having been imposed so far across Europe, CNIL decided to issue a recordsetting fine of 50 million Euros. The size of the fine may therefore indicate that future fines by Data Protection Authorities in Europe will orient around this fine size.

Do you need support in getting GDPR-ready, would you like to carry out a Data Protection Impact Assessment, or do you need ad-hoc privacy advice? Contact us!

Download