Google hit with €50 million GDPR fine

Google has been fined €50 million (£44 million) by the French data regulator, CNIL (France’s equivalent of the UK’s Information Commissioner’s Office), for breaches of the GDPR in relation to its advert personalisation services for users.

Where did the initial complaint against Google come from?

Two data privacy groups in France lodged complaints with CNIL alleging that Google did not have a valid legal basis for processing user data for its advert personalisation. The first complaint was launched on 25 May 2018, the day on which the GDPR came into effect. 

CNIL said that it imposed the fine because of Google’s "lack of transparency, inadequate information and lack of valid consent regarding ads personalisation" when processing users’ personal data. Google had failed to obtain adequate consent from users, as essential information was disseminated across several documents and was not specific enough.  It had not provided sufficient information for users to understand the bases on which it was processing their data, with users simply being asked to agree to Google’s terms of use and privacy policy en masse. Therefore, it had not met the hurdles for achieving valid consent under the GDPR. 

CNIL said that the level of the fine was due to “the severity of the infringements observed regarding the essential principles of the GDPR: transparency, information and consent”.  It also noted that the breaches are continuing, rather than being a one-off infringement. 

What has been Google’s response?

Google has said that it is “studying the decision” to determine its next steps. 

The GDPR has significantly altered organisations’ data protection obligations and dramatically increased the potential for fines. Under the GDPR, breaches can lead to potential fines of up to 4% of annual global turnover or €20 million (whichever is greater). While the €50 million fine falls far short of 4% of Google’s global annual turnover (which for 2017 was around $110 billion/€96.8 billion), it is a significant increase on the previous fines which have been levied.

What are the possible outcomes?

Under the old law in the UK (the Data Protection Act 1998) the maximum potential fine was £500,000. While the ICO issued this maximum penalty twice under the old law (to Facebook in October 2018 following the Cambridge Analytica scandal and to Equifax in September 2018 following a major data security breach), organisations were waiting to see how data protection authorities would approach fines under the new legislation. The level of Google’s fine is therefore highly significant, as it is the first fine to apply the significantly higher potential penalties under the GDPR.

What is the impact of CNIL’s actions?

CNIL’s actions in France should be seen as a wake-up call to organisations to ensure that they have valid bases for processing personal data in running their operations (whether they are relying on consent or another basis, such the processing being necessary for their legitimate interests). This is especially the case where companies use Artificial Intelligence as part of their processing of personal data. The legal bases organisations seek to use should be recorded and capable of standing up to scrutiny if challenged.