CNIL, the French data protection commission, has issued a fine of 50 Million euros (£44 million) to Google for failing to adhere to GDPR requirements while obtaining consent from users to process their personal data for delivering personalised advertisements.
In a press release, CNIL said that Google was guilty of violating GDPR as far as obtaining user consent for the collection of personal data was concerned as the company did not take specific or unambiguous consent for processing personal data for different websites or applications, nor were users sufficiently informed about how or for what purposes their personal data will be processed.
Google's consent policy is complex and ambiguous
CNIL's investigations into Google's data collection practices began shortly after the General Data Protection Regulations (GDPR) came into force in the European Union. The investigations began in response to complaints filed by None Of Your Business (“NOYB”) and La Quadrature du Net (“LQDN”) who questioned the manner in which Google processed customer data for delivering personalised advertisements.
"Essential information, such as the data processing purposes, the data storage periods or the categories of personal data used for the ads personalization, are excessively disseminated across several documents, with buttons and links on which it is required to click to access complementary information.
"The relevant information is accessible after several steps only, implying sometimes up to 5 or 6 actions. For instance, this is the case when a user wants to have a complete information on his or her data collected for the personalization purposes or for the geo-tracking service," CNIL observed.
"Users are not able to fully understand the extent of the processing operations carried out by GOOGLE. But the processing operations are particularly massive and intrusive because of the number of services offered (about twenty), the amount and the nature of the data processed and combined.
"Similarly, the information communicated is not clear enough so that the user can understand that the legal basis of processing operations for the ads personalization is the consent, and not the legitimate interest of the company. Finally, the restricted committee notices that the information about the retention period is not provided for some data," it added.
Based on the above observations, CNIL determined that Google had violated three basic principles of GDPR, i.e., transparency, information and consent, and therefore, the fine of £44 million imposed on Google was justified.
Users of Google's products and services have been deprived of essential guarantees regarding processing operations that can reveal important parts of their private life and they have no real control over their personal data, nor have they been sufficiently informed about their rights so as to provide a valid consent, the watchdog concluded.
"We are very pleased that for the first time a European data protection authority is using the possibilities of GDPR to punish clear violations of the law. Following the introduction of GDPR, we have found that large corporations such as Google simply ‘interpret the law differently’ and have often only superficially adapted their products," said Max Schrems, Chairman of None Of Your Business.
"It is important that the authorities make it clear that simply claiming to be compliant is not enough. We are also pleased that our work to protect fundamental rights is bearing fruit. I would also like to thank our supporters who make our work possible," he added.
A wake-up call for firms processing personal data in the EU
"The new fine facing Google will quickly dispel any lingering doubts that the EU would go easy on companies found in violation of the GDPR. The news should be hitting companies like a cold shower. It’s not a stretch to say that a proverbial storm is gathering as privacy groups rally to their cause and seek to uphold major global companies as examples of lax privacy control," said Matt Lock, Director of sales engineering at Varonis.
"The news should serve as an impetus to organisations that have yet to prioritise their GDPR compliance programs and hoped to simply fly under the radar– their luck may be running out soon."
"This GDPR fine brings to light some vital lessons for other businesses observing this crisis from a distance. By becoming the highest fined company since GDPR came into force, Google is now the black and white case study of ‘what could happen’ in the event of non-compliance," said Ryan Kalember, SVP of Cybersecurity Strategy at Proofpoint.
"In a privacy-first world, companies must build a people-centric compliance strategy, which can only start by getting visibility into highly regulated data, the systems that process that data and identifying who within your business has access to that data.
"Many organisations are still unsure whether their GDPR compliance strategy is 100 percent fit for purpose, but this incident signals that long gone are the days where privacy can be relegated to an IT or compliance effort: the magnitude of this fine clearly shows this is a business issue. Compliance professionals now have a use case to take to the board to secure any funding and resources they need to become GDPR compliant if their organisation isn’t today," he added.