Google has been slapped with a €50m (£44m) fine by the French data regulator CNIL for breaching data protection law in the EU under GDPR.
The CNIL fined Google for, it said, a “lack of transparency, inadequate information and lack of valid consent regarding ads personalisation”.
In particular, it criticised Google for failing to properly inform users about how the tech giant collected data used to personalise adverts, by not providing the information in a single location.
“The relevant information is accessible after several steps only, implying sometimes up to 5 or 6 actions,” said the CNIL.
“Users are not able to fully understand the extent of the processing operations carried out by Google.”
Although the tech company’s European operations are based in Ireland, it was decided that it should be handled by French authorities as the Irish equivalent lacked “decision-making power” over key Google services.
“Even though Google’s European headquarters is based in Ireland, that did not stop GDPR watchdogs from transitioning the enforcement to France where it is considered to be more effective,” said Fouad Khalil, vice president of compliance at SecurityScorecard.
Google fined €50m: the first major GDPR test?
The fine is undoubtedly one of the most high-profile to be levied since GDPR came into force on 25 May 2018.
“This is the first large fine by a GDPR regulator,” explained Khallil.
“Given the fact that it was the French privacy watchdog (CNIL) that issued the fine is no surprise. CNIL is the only regulator that issued any kind of GDPR compliance guidance in an effort to shed light on compliance requirements.”
And notably, it does not relate to a breach, but the way that the company keeps its users informed on a day-to-day basis.
For this reason, other regulators will be paying close attention to the decision, and will likely use it as a model for future investigations.
“This could be one of the first high-profile tests of GDPR and how it pans out in the real world,” commented Javvad Malik, security advocate at AlienVault.
“The fine can be summed up into a lack of transparency. Companies need to be transparent and clear with its users as to what data it is capturing and for what purposes. In this case, CNIL has decided that Google was neither transparent, nor clear with users – resulting in users making misinformed choices.”
Notably, Google is also likely to challenge the ruling, making this a key test case for the wider regulation.
“I’d expect Google to challenge the ruling, and we may see the conclusion produce an important test in law that will bring clarity around GDPR implementation for others,” said Matt Walmsley, EMEA director at Vectra.
Major organisations not immune
The decision also underlines the fact that major companies will not be immune to the potentially harsh bite of GDPR.
“The new fine facing Google will quickly dispel any lingering doubts that the EU would go easy on companies found in violation of the GDPR,” commented Matt Lock, director of sales engineering at Varonis.
“The news should be hitting companies like a cold shower. It’s not a stretch to say that a proverbial storm is gathering as privacy groups rally to their cause and seek to uphold major global companies as examples of lax privacy controls.
“The news should serve as an impetus to organisations that have yet to prioritise their GDPR compliance programs and hoped to simply fly under the radar– their luck may be running out soon.”
Lessons for companies
For companies, it highlights the need to pay close attention to how data is handled – not just how it is stored.
“Customer data of all sorts, whether that be PII, or even metadata should be considered carefully by companies,” said Malik.
“Before storing or processing information about customers, companies should ask themselves two questions.
“First, what purpose the data is being used for and for how long, and secondly, have the users truly given informed consent – if the answer to either is unclear, then they should not go ahead with it.”