Critics have argued that the General Data Protection Regulations (GDPR) are nothing more than a scare tactic since regulators have failed to issue any major fines or penalties to companies regarding their use of personal data. However, that theory is set to change since Google has been found in breach of the GDPR by a French data regulator (CNIL), subjecting them to a fine of €50 million (£44.1 million).
Google has been found responsible for two breaches, namely:
1. Lack of transparency around how to access its data policies
2. Lack of valid user consent regarding the personalisation of ads
The regulator ruled that people were “not sufficiently informed” about how Google collected data to personalise its advertising. It also ruled that Google could not have obtained valid consent for the personalisation since all the information relating to the processing was “disseminated across several documents”. CNIL found that it could take up to 5 or 6 clicks to find the adequate information needed for an individual to consent to the personalisation of adverts. This is simply not compliant with the data protection principles of lawfulness, fairness and transparency.
CNIL also held that Google had failed to satisfy one of the valid legal bases of processing, namely consent. For consent to be valid, it must be: freely given, specific, informed, unambiguous and show a clear affirmation. The option to consent to the personalisation of adverts was pre-ticked upon making a Google account, which does not show a clear, positive affirmation. Therefore, showing Google acting in breach of the “freely given” consent principle.
Google has been ordered to pay a fine of €50 million, which exceeds the maximum of €20 million, but falls substantially short of the maximum penalty of 4% of the organisations global annual turnover.
So, why is the fine so low? It appears that the French regulators applied the fine based on Google France’s annual turnover, which was in the region of €326 million in 2017. Nonetheless, the fine is likely to dispel rumours that GDPR is “just a load of hype” and send shockwaves through the tech industry.
One of the obvious repercussions for Google is the monetary impact that they will sustain as a consequence of this decision. However, given the global turnover of Google and the relatively low fine they have been given in comparison, the fine is unlikely to have a huge impact on the organisation. Nevertheless, the fine will still have some impact and should shape how the organisation will operate in the future.
Perhaps a more worrying implication for Google is the reputational impact this decision will have. The actions of Google show a disregard for the data protection principles, and the right for an individual to be well informed on the processing of their personal data. As a result, the level of consumer respect they currently receive could well diminish.