Google has announced that it will appeal a €50m fine levied by French data regulator CNIL. However a leading legal expert has said he thinks it is unlikely that the Google GDPR fine appeal will succeed.
Google rejected CNIL’s claims that it did not adequately inform users of how their data would be used in personalised advertising, arguing that their process is “as transparent and straightforward as possible, based on regulatory guidance and user experience testing”.
“We’re also concerned about the impact of this ruling on publishers, original content creators and tech companies in Europe and beyond,” the company added in a statement. “For all these reasons, we’ve now decided to appeal.”
However, Guy Cartwright, an associate solicitor on the commercial services team at law firm Coffin Mew, believes this argument is unlikely to work.
“When it comes to Google’s appeal, I expect the courts to be unforgiving,” he said. “Perhaps the internet giant has missed the point.
“Google may well have tried its best, but consent under the GDPR is a high bar that needs to be unequivocal and freely given. How can users give consent to Google using complex algorithms and automated processing when most simply don’t understand how these techniques work?
“Relying on an obscure privacy notice and telling us that our privacy is important simply isn’t enough. Isn’t the question more: should Google be doing this in the first place?”
Google GDPR fine appeal highlight’s weak GDPR of big companies
The Google GDPR fine appeal is notable because, according to Cartwright, it highlights how major tech companies can fail to live up to the expectations of privacy regulations such as GDPR.
“You might think that a company as big as Google would be on top of its GDPR compliance measures. However, compliance in an organisation like Google is challenging because of the size and complexity of its processing operations,” he said.
“Compliance can, unfortunately, be an afterthought and seen as a hindrance to innovation.
“That is exactly why the principles of ‘privacy by design and default’ were made a specific obligation under the GDPR – so that privacy and data protection are not regarded as an afterthought. Perhaps Google’s lawyers didn’t read the regulation properly. Other companies should.”