Just over eight months since the introduction of the General Data Protection Regulation, and world-renowned technology giants, Google, have been hit with a record fine of £44m for failing to comply with the new legislation.
The CNIL, France’s data protection office found Google guilty of breaking EU privacy laws by failing to acquire adequate consent from its users regarding the data used for personalised advertising.
The regulator also found that the search engine provider didn’t provide clear and easily accessible information to consumers regarding the collection and manner in which their personal data was held.
The CNIL discovered that the setting to allow personalised advertisements was automatically selected when users were creating an account, which Google then used as the basis for all of its processing systems to be carried out. This does not comply with the General Data Protection Regulation (GDPR), which says the consent is “specific” only if it is given distinctly for each purpose.
In a recent statement, Google said “People expect high standards of transparency and control from us. We’re deeply committed to meeting those expectations and the consent requirements of the GDPR.”
Original complaints against Google were filed on the 25th May 2018 by privacy rights groups, None of Your Business (NOYB) and La Quadrature du Net (LQDN). The groups claimed Google did not have the legal right under the GDPR to process user data for personalised advertisements.
Max Schrems, chairman of NOYB, said, “We are very pleased that, for the first time, a European data protection authority is using the possibilities of the GDPR to punish clear violations of the law. Following the introduction of the GDPR, we have found that large corporations such as Google simply ‘interpret the law differently’ and have often, only superficially, adapted their products. It is important that the authorities make it clear that simply claiming to be compliant is not enough.”
After months of speculation around the enforcement of GDPR fines, maybe this is the wake-up call and ‘made to example’ that Europe has been waiting for.
Considering that Google had an estimated annual turnover of around £85bn ($110bn) for 2017, the €50m (£44m) fine that they have received will be a drop in the ocean. It may seem that Google has gotten off lightly this time around, as the GDPR indicates that organisations could be fined a maximum of 4% of their annual turnover; which in Google’s case could have been an estimated £4bn (€4.5bn) fine.
The real damage done is to Google’s reputation. The fact that the largest search engine provider in the world has been found to be in breach of GDPR will lead to users being more reluctant to use Google services because they cannot trust them to handle data responsibly. Under the GDPR, individuals are able to claim compensation if their rights have been violated, so this could be just the start of the thickening plot.
Dr Lukasz Olejnik, an independent privacy researcher and adviser, indicated that the ruling was the world’s largest data protection fine. “This is a milestone in privacy enforcement and the history of privacy. The whole European Union should welcome the fine. It loudly announced the advent of the GDPR decade,” he said.
Now that the first ‘big’ fine has been issued under GDPR, the bar has been set when it comes to what’s acceptable under new data protection laws – and how much it can cost an organisation.
We can expect more fines to follow throughout 2019, and to make sure that you’re not one of them you should review your existing data protection procedures within your organisation. This includes what kind of data you keep, how you handle data and training your staff to understand what role they have to play in maintaining GDPR compliance.
Before the GDPR was introduced last May, we wrote a quick article highlighting how the new data protection law will affect organisations of all shapes and sizes.
At Bob’s Business, we’re the trusted experts in providing online cyber security training. That’s why we developed our very own suite of GDPR training courses to help organisations get up to speed with the new regulation and ensure all users understand their obligations. To try the GDPR demo course for yourself, visit our GDPR training page to get started.