Google hit with €50 million GDPR fine
Google has been fined €50 million (£44 million) by the French data regulator, CNIL (France’s equivalent of the UK’s Information Commissioner’s Office), for breaches of the GDPR in relation to its advert personalisation services for users.
Two data privacy groups in France lodged complaints with CNIL alleging that Google did not have a valid legal basis for processing user data for its advert personalisation. The first complaint was launched on 25 May 2018, the day on which the GDPR came into effect.
CNIL said that the level of the fine was due to “the severity of the infringements observed regarding the essential principles of the GDPR: transparency, information and consent”. It also noted that the breaches are continuing, rather than being a one-off infringement.
Google has said that it is “studying the decision” to determine its next steps.
The GDPR has significantly altered organisations’ data protection obligations and dramatically increased the potential for fines. Under the GDPR, breaches can lead to potential fines of up to 4% of annual global turnover or €20 million (whichever is greater). While the €50 million fine falls far short of 4% of Google’s global annual turnover (which for 2017 was around $110 billion/€96.8 billion), it is a significant increase on the previous fines which have been levied.
Under the old law in the UK (the Data Protection Act 1998) the maximum potential fine was £500,000. While the ICO issued this maximum penalty twice under the old law (to Facebook in October 2018 following the Cambridge Analytica scandal and to Equifax in September 2018 following a major data security breach), organisations were waiting to see how data protection authorities would approach fines under the new legislation. The level of Google’s fine is therefore highly significant, as it is the first fine to apply the significantly higher potential penalties under the GDPR.
CNIL’s actions in France should be seen as a wake-up call to organisations to ensure that they have valid bases for processing personal data in running their operations (whether they are relying on consent or another basis, such the processing being necessary for their legitimate interests). This is especially the case where companies use Artificial Intelligence as part of their processing of personal data. The legal bases organisations seek to use should be recorded and capable of standing up to scrutiny if challenged.
The articles published on this website, current at the date of publication, are for reference purposes only. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your own circumstances should always be sought separately before taking any action.